Virtualization Fritz Solms August 22, 2016
Overview: virtualization Virtualizaton 3 main options: Hardware virtualization: e.g. hypervisors Operating system virtualization: software containers (e.g. docker) Emulation:
hypervisors Overview of hypervisors What are hypervisors Base OS runs hypervisor creates hardware virtualization for guest OS s to run in
Overview: software containers Overview: Software Containers Also known as operating system virtualization or jails or sandboxes Definition In Operating system virtualization or software containers the kernel of an operating system allows the existence of multiple isolated user-space instances, with each software container containing all local dependencies of an application being fully isolated from other software containers.
Overview: software containers Condensed History of Software Containers 1979: chroot change root dir of process 2000: FreeBSD Jails additional sandbox features like file system isolation,... 2008: LXC Complete Linux container manager 2013: Docker
Overview: software containers Uses of OS virtualization / software containers Virtual hosting Building and Testing a user space environment e.g. chroot Hosting multiple isolated applications on same operating system Application testing Continuous integration servers Test server deployment Assignment assessment Container based application deployment
Overview: software containers Requirements for Software Containers Resource isolation: network, processes, memory, file system,... Root privilege isolation: Root privilege isolated to container. host has separate root Resource quota management: CPU, Memory, Disk, I/O, Network Secure container management: creating, starting, stopping, removing,... Container image management: Image construction tools Image versioning Image distribution via image repositories Deployable applications (with their dependencies)
Overview: software containers Pros and cons of software containers Pros: More lightweight than hypervisors shared OS Better separation of responsibilities Base OS configured for machine hardware, environment & purpose Container image configured for application stack (app + dependencies) Improved portability Faster container start/stop/deploy More efficient resource usage Better performance and security than emulation Cons: Security more tricky to manage
docker Docker architecture Manages containers via libcontainer wraps cgroups and Namespaces Namespaces for isolation cgroups for resource limiting Can limit resouces for groups disk, memory, CPU,...
docker Docker Server Needs to run on host installed versus package manager of host start docker daemon typically as a service sudo systemctl start docker Functionality: pull container images from DockerHub start/stop/rm software containers get shell for user space of software container Can re-attach to container shell inspect container logs, processes inspect resource consumption of images
docker Building docker images Can pull exisiting image, modify and commit. Not recommended No traceability or repeatability Create image directory with DockerFile with instructions to Sequence of RUN commands eg. to install software onto image, create DBs,... can use emerge, pacman, apt-get,... copy files onto the image setting up environment variables expose network ports specifying CMDs to be executed on image start Built image pushed onto DockerHub
docker Example DockerFile 1 FROM gentoo:latest 2 MAINTAINER Fritz Solms <fritz@solms.co.za> 3 4 RUN emerge --sync && emerge apache2 && rm -rf /usr/portage/distfiles/* 5 6 ENV APACHE_RUN_USER www-data 7 ENV APACHE_RUN_GROUP www-data 8 ENV APACHE_LOG_DIR /var/log/apache2 9 10 EXPOSE 80 11 12 CMD ["/usr/sbin/apache2", "-D", "FOREGROUND"]
docker Docker Hub Cloud-based registry service & image imagerepository Functionality: Community, official, and private image libraries Find, push & pull images Automatic image build & publication triggered by commits to version control system Workflow triggers image publication triggering other actions via WebHooks e.g. automatic testing or pulls onto servers running app