Linux Container Primitives: cgroups, namespaces, and more!

linuxfestnorthwest

5 chapters7 takeaways10 key terms5 questions

Overview

This video explains the core Linux technologies that enable containers: control groups (cgroups), namespaces, and union file systems. It details how these primitives, when combined, provide process isolation and resource management. The presentation covers how cgroups manage and limit resources like CPU and memory, how namespaces isolate views of system resources such as networks and file systems, and how layered file systems like OverlayFS efficiently manage container images. Finally, it touches on container runtimes and the Open Container Initiative (OCI) standards that define how these primitives are orchestrated.

How was this?

Save this permanently with flashcards, quizzes, and AI chat

Chapters

Containers are a way to run Linux processes with isolation and separation.
They are built by combining several core Linux primitives: control groups, namespaces, and file systems.
Understanding these primitives is crucial for troubleshooting and designing containerized systems.
Each primitive can be used independently or combined in various ways.

This foundational knowledge helps demystify containers by breaking them down into their fundamental building blocks, enabling a deeper understanding of how they function and how to manage them effectively.

Cgroups track, group, and organize processes, allowing for resource monitoring and control.
They operate through independent 'subsystems' (e.g., CPU, memory, devices) that manage specific resources.
Each subsystem has its own hierarchical structure, allowing for flexible resource allocation and prioritization.
Processes inherit cgroups from their parent, and can be moved by writing their PID to a target cgroup's 'tasks' file via a virtual file system (e.g., /sys/fs/cgroup).

Cgroups are essential for preventing resource exhaustion and ensuring fair resource distribution among processes, which is critical for container stability and performance.

A demonstration shows creating a new cgroup directory, moving the current shell process into its 'tasks' file, and then setting a 'pids.max' limit to prevent more than a certain number of processes from being created within that cgroup.

Namespaces provide process isolation by giving processes their own view of system resources.
Different namespaces exist for various resources, including network interfaces, mount points, process IDs (PIDs), and more.
Processes can share some namespaces while having unique ones for others, offering granular control over isolation.
Namespaces are manipulated via system calls (clone, unshare) and can be kept alive by running processes or bind mounts.

Namespaces are the primary mechanism for creating the illusion of separate environments for containers, ensuring that processes within a container do not interfere with the host system or other containers.

The presenter demonstrates creating a new network namespace using 'unshare', showing that it initially only has a loopback interface, and then uses 'ipnetns' to manage and inspect persistent network namespaces.

Container images are essentially layered file systems that define the container's userland.
Layers allow for efficient storage and inheritance, where changes are made in the topmost writable layer.
Union file systems, like OverlayFS, merge these layers to present a single, unified view to the container.
This layered approach enables copy-on-write, where only modified or new files consume extra space in the top layer.

Understanding layered images and union file systems explains how containers can be created, shared, and run efficiently, minimizing storage duplication and speeding up container startup.

The video shows how Docker uses the OverlayFS driver, detailing the 'diff' directory for layer contents, the 'work' directory for temporary operations, and how a 'whiteout' file is used to mark deleted files, effectively hiding them from the merged view.

Container runtimes are the software tools that set up cgroups, namespaces, and file systems for containers.
Docker is a well-known example, but it relies on lower-level runtimes like runC.
The Open Container Initiative (OCI) provides standards for container runtimes and image formats, promoting interoperability.
An OCI bundle consists of a root file system and a configuration file (config.json) detailing cgroups, namespaces, and other container settings.

Knowing about container runtimes and OCI standards helps understand the ecosystem and how different tools interact to manage and execute containers consistently across various platforms.

The presenter examines the structure of an OCI bundle created by Docker, highlighting the 'config.json' file which contains detailed specifications for the container's environment, including its cgroup and namespace configurations.

Key takeaways

1Containers are not a single technology but a combination of Linux kernel features like cgroups and namespaces.
2Cgroups provide resource control (CPU, memory, I/O) for groups of processes, preventing resource starvation.
3Namespaces isolate processes from each other and the host system by providing separate views of resources like the network and file system.
4Layered container images, managed by union file systems like OverlayFS, enable efficient storage and rapid deployment through copy-on-write.
5The OCI standards ensure interoperability between different container runtimes and tools.
6Understanding these primitives is key to debugging container issues and optimizing their performance.
7Container runtimes orchestrate the setup of cgroups, namespaces, and file systems based on OCI specifications.

Key terms

Control Groups (cgroups)NamespacesUnion File SystemOverlayFSContainer ImageCopy-on-WriteOCI (Open Container Initiative)Container RuntimePIDVirtual File System

Test your understanding

1How do cgroups contribute to the stability and security of containerized applications?
2What is the primary purpose of namespaces in Linux containers, and what are some examples of resources they isolate?
3Explain the concept of layered images and how union file systems like OverlayFS make them efficient.
4What role does the Open Container Initiative (OCI) play in the container ecosystem?
5How can understanding cgroups and namespaces help a developer troubleshoot issues with a containerized application?