(A new hole has been opened, this time it needs to be filled and refueled)
Container Basics 2: Isolation and Restriction
isolation
Concept explanation
1. Namespace: It is a technical means used to achieve "isolation" in Linux containers. Namespace technology actually modifies the "view" of the entire computer by the application process, that is, its "view" is limited by the operating system and can only "see" To "certain specified content
2. Docker engine: It is not equivalent to Hypervisor. It is not responsible for the isolation environment of the application process like Hypervisor, nor does it create any physical "container". The host is really responsible for the isolation environment. The operating system itself
3. Applications in the container: The application processes that users run in the container, like other processes on the host, are uniformly managed by the host operating system, except that these isolated processes have additionally set Namespaces parameter. The role played by the Docker project here is more of a bypass assistance and management work (can docker even be removed? Who will replace it?)
Features of containerization
- Saving resources: Using the virtual machine method, each virtual machine requires an operating system, which will cause huge resource losses. However, the containerized method does not require a separate system, and the resources occupied by the namespace can be can be ignored
- Agility and high performance: these are the biggest advantages
- The isolation is not complete: 1) Because the container is a special process running on the host, multiple containers share the kernel of the host's operating system; 2) There are many resources and objects that cannot be namespace. For example, time, that is to say, the time of the entire system is unified, which will result in certain restrictions on the degree of freedom of operations within the container. Some can be done, and some cannot be done.
limit
Technologies that limit adoption
1) Linux Cgroups is an important function in the Linux kernel used to set resource limits for processes. One is to limit the upper limit of resources that a process group can use, including CPU, memory, disk, network bandwidth, etc. The second is to set the priority, audit, and suspend and resume the process; 2) The design of Linux Cgroups is a combination of a subsystem directory and a set of resource restriction files, that is, creating a control for each container Group
Imperfect restrictions
The number of CPU cores, available memory and other information read by the application in the container are all data on the host machine, which will bring great confusion and risk to the operation of the application.
Summarize
- A running Docker container is actually an application process with multiple Linux Namespaces enabled, and the amount of resources this process can use is limited by the Cgroups configuration.
- Isolation uses namespace technology, but complete isolation cannot be achieved; restrictions use cgroups technology
- Containers are a "single process" model: in a container, you cannot run two different applications at the same time, unless you can find a program with a common PID=1 in advance to act as the parent process of two different applications.
tips
1.pid is the parent process
question
1. What is centos?