Container Technology Fundamentals (1)

Introduction: Quickly learn the basics of container technology. The course will start with the basics of container technology. It will explain how container technology is implemented based on technologies such as Namespace and Cgroups in the Linux kernel, and the development background and basic knowledge of Docker containers. The relationship between , CRI and Kubernetes has generated new awareness.
The developer school course [ The first lesson of the quick introduction to modern application container technology : the basics of container technology (1)] study notes, which are closely related to the course, allowing users to quickly learn knowledge.
Course address: https://developer.aliyun.com/learning/course/830/detail/13950

Container Technology Fundamentals (1)


Course Introduction
• Jointly launched by Alibaba Cloud, Linux Open Source Software Academy and Marco Education
– Pre-course of "CNCF x Alibaba Cloud Native Technology Open Course"
– Companion courses for CKAD/CKA/CKS certification
• Content covers
– Hands-on practice of Kubernetes cloud native operating system
– Alibaba Cloud Kubernetes Managed Service ACK


1. Container technology foundation
1.1 Application deployment and operation
• Application deployment environment
– host
- virtual machine
– container


2. Kernel space and user space of modern operating systems
1. Modern operating systems have two distinct, separate areas in memory, called user space and kernel space;,
2. The kernel acts as an intermediate layer between user space and hardware, responsible for process scheduling, memory management, interrupt handling, etc., and has full control over system resources 3. User space communicates with the kernel through "system calls", and system calls pass APIs to applications. Provide system-level services


3. Virtualization technology
• Virtualize the host hardware as separate, complete and isolated units through dedicated software emulation or/and virtualization technology, each of which can be used as a host
– This specialized software is called VMM, which stands for Virtual Machine Monitor
– Depending on where the VMM is running, virtualization technologies can be divided into two types
• Runs directly on hardware: Type 1
• Runs on an operating system: Type 2
– Each virtual machine directly exposes the hardware interface
• Have separate kernel space and user space
• Complete isolation between processes across virtual machines
• Large resource overhead, para-virtualization technology helps reduce overhead

4. Container Technology
• Generate multiple isolated user spaces on top of the same kernel with the help of a software technology called "container runtime"
– Each user space can independently manage and run its internal processes
– Each user space "thinks" to have exclusive use of the kernel and hardware resources
• Kernel-level shared resources need to be isolated
- Relying on a technology in the kernel called "namespaces"
• Namespaces are a Linux kernel feature used to isolate parts of system resources so that processes can only access corresponding resources in the same namespace;
CGroups " contributed by Google


5. Namespaces supported by the Linux kernel
Currently, the kernel (5.13) supports 8 namespaces


Remarks:
monotonic time: monotonically increasing clock, which starts accumulative timing after the system is turned on, but the sleep time of the system is not counted;
boot time: similar to monotonic time, the difference is that boot time will be included in the system sleep time;
6. Namespaces and Chroot
• In 1979, the chroot() system call was added to Unix systems to provide developers with a testbed independent of the root filesystem;
– With the help of chroot(), developers can change the root directory of a process and its children
– As shown, the file system is divided into two parts, they do not affect each other
• Linux introduces new subsystems and system calls to improve process isolation
– The concept of namespace first appeared in Kernel 2.4.19 in 2002. The only supported namespace at that time was Mount, and the flag of this namespace was even named CLONE_NEWNS


7. Isolate processes and identify PID namespaces
• PID namespace capable of supporting multiple completely independent process trees
– The process with PID number 1 started by the Linux system in user space is used as the "root" of the process tree
– PID namespace allows users to create separate branches with PID number 1
• Processes in the new tree never interact with or see the parent process
• Parent process has access to all child process trees
• The clone() system call with the CLONE_NEWPID flag can be used to create a new namespace PID


8. Isolate the Mount namespace of the filesystem
• The Mount namespace i can create a completely independent file system from unrelated processes, and its reliability is much greater than that of chroot();
- the child process first "sees" the same mount point as the parent process
– Once the child process is moved to a separate namespace, any filesystem can be mounted on top of that name, and it cannot be accessed by the parent process or other namespaces


9. Namespace API
• In the Linux kernel, there are 4 APIs related to namespace
– clone(): create a child process and isolate it into the newly created namespace;
• Responsible for creating a child process. If the CLONE_NEW* related flags are used at the same time, a namespace is created for each flag and the process is placed in the namespace;
– setns (): add the process to the specified existing namespace;
• done by manipulating the process-related /proc/[ pid ]/ns/ directory
– setns (): add the process to the specified existing namespace;
• done by manipulating the process-related /proc/[ pid ]/ns/ directory
– unshare (): isolate the process into the newly created namespace;
• Similar to clone(), except that unshare () creates a namespace in the current process, and once the call completes, the current process is in the new namespace;
– ioctl (): Get information about the namespace


10. Container runtime
composed of several kernel primitives such as namespaces, cGroups , and LSM (Linux Kernel Security Module);
– With the help of these kernel primitives, a safe and isolated process runtime environment can be set up, but this also means that each creation has to be manually performed;
• A "container runtime" is a set of tools that simplifies this type of operation
– "Runtime" is a lifecycle management tool for processes, and a container runtime is a software that specifically refers to running and managing containers
– Used to help users deploy containers easily, efficiently, and securely, and is a key component of container management
• In 2007 , after CGroups was introduced into the Linux kernel, some container runtime projects appeared, such as LXC and LMCTFY (Google), etc.
11. Linux Containers and the LXC Project
• LXC, stands for LinuX Containers, a well-known Linux container management project consisting of a set of tools, templates and libraries;
but
– LXC only provides single-machine command line tools, and these commands are very low-level and difficult for users to understand
– LXC has no daemon process, cannot provide API based on Socket, and it is difficult to realize cross-host container migration
– The LXD project provides this missing functionality

12. Docker containers
• dotCloud 's Docker project was also initially built on LXC to make container technology more developer- and user-friendly;
replaced LXC with its own libcontainer shortly after
– After the Docker project became famous, dotCloud also changed its name to Docker
• Finally, Docker was released in 2013, addressing many of the problems developers had with end-to-end windows
• Container image format
• Build container images: Dockerfile , docker build
• Container image management: docker image, docker rmi
• Container instance management: docker ps , docker rm, …
• Shared container images: docker push/pull
• The way to run the container image: docker run

Copyright statement: The content of this article is contributed by Alibaba Cloud's real-name registered users. The copyright belongs to the original author. The Alibaba Cloud developer community does not own the copyright and does not assume the corresponding legal responsibility. For specific rules, please refer to the " Alibaba Cloud Developer Community User Service Agreement " and " Alibaba Cloud Developer Community Intellectual Property Protection Guidelines ". If you find any content suspected of plagiarism in this community, fill out the infringement complaint form to report it. Once verified, this community will delete the allegedly infringing content immediately.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00