Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security

Post on 03-Jun-2020

13 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

Transcript

Linux Containers Overview & RoadmapBhavna SarathySenior Product Manager, Red Hat

Dan WalshSenior Principal Software Engineer, Red Hat

June 12 2013

Key elements of Linux Containers

Process Isolation

SecurityResource Management

Management

Linux Container Architecture

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces

NamespacesProcess Isolation

Mount : mounting/unmounting filesystems UTS : hostname, domainnameIPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewallPID: Private /proc, multiple pid 1'sUser: (UID) Just showing up in the Kernel now.

– Not planning on supporting in RHEL7.

Namespace Use

➢ pam_namespace - RHEL5/6➢ SELinux sandbox - RHEL6➢ SystemD - Fedora 17

➢ UnitFile: PrivateTmp, PrivateNetwork➢ Openshift - RHEL6

➢ Pam_namespace : Private /tmp

Process Isolation

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces Cgroups

Namespaces

Resource Management with Cgroups

Memory Network

Block IOCPU

Linux Kernel

Hardware (Intel, AMD)

Cgroups

Cgroup Use

➢Libvirt/qemu – RHEL6➢OpenShift - RHEL6➢ SystemD - Fedora 18

➢ UnitFile: ControlGroup*➢ Red Hat Storage Server

➢ Gluster - RHEL6

Resource Management

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces Cgroups SELinux

SELinux Use

➢Targeted - RHEL4➢ MLS – RHEL5 ➢ Targeted/MCS - RHEL6

➢ sVirt➢ OpenShift➢ sandbox -X

Security

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces Cgroups SELinux

Libvirt

Network Devices

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces Cgroups SELinux

Libvirt

Network Devices

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware (Intel, AMD)

Namespaces Cgroups SELinux

Libvirt

ContainersContainers

Network Devices

Libvirt Use

➢Libvirt - RHEL5, RHEL6➢ Launch Virtual Machines

➢ Libvirt-lxc – RHEL6.4➢ Launch Containers

Management

Linux ContainerUse Cases

Process Isolation

SecurityResource Management

Management

Containers use cases

Shared RHEL Host Software➢ Generic Application Container➢ Systemd Application Container

Containers use cases

Shared RHEL Host Software➢ Generic Application Container➢ Systemd Application Container

Unshared OS Software➢ Chroot Application Container➢ Booted OS Container

Generic Application Container

virt-sandbox-service

Libvirt

libvirt-lxc

Any command

Planned for

RHEL 7.0

Systemd Application Container

systemd

virt-sandbox-service

Libvirt

libvirt-lxc

systemd Unit file

Planned for

RHEL 7.0

Chroot Application Container

virt-sandbox-service

Libvirt

libvirt-lxc

Any Command In Chroot

Support TBD

in RHEL 7.*

Booted OS Container

virt-sandbox-service

Libvirt

libvirt-lxc

/sbin/init

Booted OS Containers

virt-sandbox-service

Libvirt

libvirt-lxc

/sbin/init

Not supported!!! Use

KVM

Containers vs KVM Virtualization

When should I use containers and when should I use KVM?

Containers vs KVM Virtualization

✔ Startup and shutdown speed✔ Ease of Maintainance✔ Easy to create✔ System-wide changes visible in each container

✔ For RHEL Shared OS Containers✔ Scalability: Number of containers

✔ Process Memory Sharing

KVM Virtualization vs Containers

✔ Boot multiple Different Operating Systems✔ Including Windows

✔ Separate kernel✔ Better Security✔ Kernel crash does not take down host

✔ Guest Isolation from host changes✔ Full Separation✔ Features such as live migration, live storage migration

Linux Containers : Scalability

How many containers can you run?➢ Theoritical

➢ Scales to 6000 containers and 12000 bind mounts of root filesystem directories

➢ Practical➢ Running real workloads, containers doing work in

parallel

Linux Containers Demo

Future

➢ Seccomp – Linux syscall restriction

➢ Better audit support/logging support

➢ Working UnionFS.

➢ What's going to break?????

Questions?

Related Summit Sessions

Managing SELinux in the Enterprise

– Wed 4:50 pm, Rm 312

Secure Development Practices

– Thu 1:20 pm, Rm 306

Under the Hood of OpenShift, Turbocharged by RHEL

– Thu 3:40 pm, Rm 304

KVM Hypervisor Roadmap & Technology Update

– Thu 10:40am, Rm 304

Hypervisor Technology Comparison & Migration

– Fri 9:45am, Rm 313

Contact Info

Dan Walsh

Email: dwalsh@redhat.com

Blog: danwalsh.livejournal.com

Twitter: @rhatdan

Bhavna Sarathy

Email: bsarathy@redhat.com

mailto:dwalsh@redhat.com

top related

Notes on Nested Virtualization (KVM on KVM) - CloudOpen Eu.....
Documents
KVM on ARM virtualization -...
Documents
Red Hat Enterprise Virtualization - KVM-based ... · PDF...
Documents
Lightweight Virtualization LXC containers & AUFS
Documents
Display Virtualization with KVM for Automotive Systems
Documents
KVM: Linux-based Virtualization
Technology
KVM Virtualization in RHEL 7 Made Easy - Dell
Documents
Advancements with Open Virtualization & KVM...© IBM...
Documents
KVM Based Virtualization and Remote Management
Documents
Using Linux Containers as a Virtualization Option · 3...
Documents
Virtualization Architecture & KVM
Engineering
Virtualization kvm-rhev
Technology
Monthly Research SELinux in Virtualization and...
Documents
Storage Virtualization for KVM – Putting the pieces · PDF...
Documents
Virtualization - Kernel Virtual Machine (KVM)
Technology
KVM + OpenVZ Virtualization + Cloud Computing With Proxmox.....
Documents