“Low Fat” Virtualization – 6e Séminaire fribourgeoisLinux embarqué
“Low Fat” Virtualization – 6e Séminaire fribourgeoisLinux embarqué
0 0
low-fat-virtualization
Presentation made during the "Séminare Linux Embarqué" on May 8 in FribourgOn Github supcik / low-fat-virtualization
“Low Fat” Virtualization
6e Séminaire fribourgeoisLinux embarqué
Dr Jacques SupcikEcole d’ingénieurs et d’architectes de Fribourg8 mai 2014
“Classical” Virtualization…
Effective…
but not light
Virtualization needs a lot of resources
Virtualization works best with special hardware
So what about a more “skinny” virtualization
Types of Virtualization
chroot
- The chroot system call was introduced during development of Version 7 Unix in 1979 is was available since 1982(32 years old).
- Provides (partial) file system isolation only.
- “root” users can still escape chroot.
- requires some manual linking (or copying) of system files.
BSD's “Jail”
BSD's “Jail”
- Available since 1998 (16 years old).
- Provides disk and CPU quotas, memory limits, network and root privilege isolation.
OpenVZ
- Available since 2005 (9 years old).
- Requires a special kernel.
- Adds I/O rate limiting, partition checkpointing and live migration.
- Still used by hosting companies to provide virtual private servers.
OpenVZ
Source: OpenVZ Web site
- Container looks like a normal Linux system. It has standard startup scripts, software from vendors can run inside Container without OpenVZ-specific modifications or adjustment.
- A user can change any configuration file and install additional software.
- Containers are fully isolated from each other (file system, processes, Inter Process Communication (IPC), sysctl variables).
OpenVZ
Source: OpenVZ Web site
- Containers share dynamic libraries, which greatly saves memory.
- Processes belonging to a Container are scheduled for execution on all available CPUs. Consequently, Containers are not bound to only one CPU and can use all available CPU power.
LXC Linux Container
LXC Linux Container
- Available since 2008 (6 years old).
- Relies on the Linux kernel “cgroups” functionality that was released in version 2.6.24.
- Full file system isolation and root privilege isolation since version 1.0 (February 2014 / Linux kernel 3.8)
- No partition checkpointing and no live migration!
- “chroot on steroids”.
Cgroups (control groups)
Name space Isolation
- PID namespace : Isolation for the allocation of process identifiers.
- Network namespace : Isolates the NIC, iptables rules, routing, etc.
- “UTS” namespace : Allows changing the hostname.
- Mount namespace : Allows creating a different file system layout.
- IPC namespace : Isolates the System V IPC.
Docker
- Available since 2013 (1 year old young).
- Based on LXC.
- Is currently under heavy development. Docker should not be used in production (yet).
- “Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere.”
Docker
If you want to try “Docker” you can easilly do it on a “Droplet” at Digital
Ocean. (5$ for 1 month)
Thank You!
References
- http://japanese.lingualift.com/blog/what-sumo-eat-wrestlers-diet/
- http://community.futureshop.ca/t5/Tech-Blog/How-to-build-a-PC-How-to-upgrade-your-RAM/ba-p/426769
- https://en.wikipedia.org/wiki/Western_Digital_Raptor
- http://www.pcper.com/news/General-Tech/ARM-aims-make-TSMC-Fab-choice-their-customers
- http://www.reflexandwellnessclinic.com/projects/services/
- https://en.wikipedia.org/wiki/Chroot
- http://sysadvent.blogspot.ch/2010/12/day-14-freebsd-jails.html
- http://openvz.org/User_Guide/OpenVZ_Philosophy
- https://linuxcontainers.org/
- http://www.linuxadvocates.com/2013/04/linux-containers-and-why-they-matter.html
- https://www.docker.io/
- https://en.wikipedia.org/wiki/Operating_system-level_virtualization
- https://en.wikipedia.org/wiki/LXC