Introduction of namespace and Linux cgroups
Author: Yin Zhengjie
Copyright: original works, declined to reprint! Otherwise held liable.
A .Linux Namespace technology
Namespace is the underlying concept of the Linux system, implemented at the kernel level, i.e. there are several different types of namespaces are disposed in the nucleus, each running in the same container docker docker master process and a host system share the same core.
Each container run in user space docker host, each container must have a similar virtual machines as isolated from each other space to run, but the vessel technology is the runtime environment to run the specified service within a process, and can also protect places interference and influence the host kernel from other processes, such as the file system space, cyberspace, process space, currently running isolated space of the container is mainly achieved by the following techniques.
1>.MNT Namespace
Each container must have a separate user space root file system, start the service in order to achieve inside the container and container use operating environment that ubuntu is a host server, you can start a container centos operating environment on the inside and on the inside start a Nginx service, use of this Nginx run-time execution environment is the operating environment centos system directory, but inside the container can not access the host's resources, the host is using the chroot technology to lock the container to a mean run directory.
2>.IPC Namespace
Interprocess communication within a container that allows different processes within a container (memory, cache, etc.) data access, but can not access data across containers other containers.
3>.UTS Namespace
UTS namespace (UNIX Timesharing System contains the name of the running kernel version information such as the type of underlying architecture) for system identification, and which contains the hostname domain DOMAINNAME, a container such that it has its own hostname identifier, independent of the host name identifies he container and its host system on.
4>.PID Namespace
Linux系统中,有一个PID为1的进程(init/systemd)是其他所有进程的父,那么 在每个容器内也要有一个父进程来管理其下属的子进程,那么多个容器的进程通的PID namespace进程隔离(比如PID编号重复、器内的主进程与回收子进程等)。
5>.Net Namespace
每一个容器都类似于虚拟机一样有自己的网卡,监听端口,TCP/IP协议栈等,Docker使用network namespace启动一个vethX接口,这样你的容器将拥有它自己的桥接ip地址,通常是docker0,而docker0实质就是Linux的虚拟网桥,网桥是在OSI七层模型的数据链路网络设备,通过mac地址对网络进行划分,并且在不同网络直接传递数据。
6>.User Namespace
各个容器内可能会出现重名的用户和用户组名称,或重复的用户UID或者GID,那么怎隔离各个容器内的用户空间呢?
User Namespace允许在各个宿主机的各个容器空间内创建相同的用户名以及相同的用户UID和GID,只是会用户的作用范围限制在每个容器内,即A容器和B容器可以有相同的用户名称和ID的账户,但是此用户的有效范围仅是当前容器内,不能访问另外一个容器内的文件系统,即相互隔离,互不影响,永不相见 。
二.Linux control groups
1>.
2>.
3>.
4>.
5>.