Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how many processes are there between Windows and Docker". In daily operation, I believe many people have doubts about how many processes there are between Windows and Docker. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "how many processes are there between Windows and Docker"! Next, please follow the editor to study!

How many processes are there in Linux and Windows,Docker respectively

When installing and configuring Container Host, it is often wrong to report that the Container OS Image download failed (no way, because of the wall).

What is Container OS? As the name implies, it is the OS seen from the container perspective.

Container OS is actually the User mode OS component that the application depends on, for Windows containers, such as System DLL such as ntdll.dll, kernel32.dll, or coresystem.dll. All containers on the host share kernel mode (Kernel mode) OS components, for Windows, ntoskrnl.exe, drivers, and so on.

For example, for the following command, it means that the Windows system gets the user mode OS component of Windows Server Core from the docker image and launches cmd to get Shell.

Docker run-it windowsservercore cmd

The same goes for Linux: if you run the following command, it means getting the user mode component of Ubuntu from the docker image and starting Bash Shell.

Docker run-it ubuntu / bin/bash

For the above two containers, there are fewer processes in the Linux container. Please refer to the following screenshot:

For Windows containers, the situation is slightly different.

Starting Process Explorer on the Windows host, you can see that there are relatively many processes in this Windows container:

This is because in the Windows system, it is necessary to provide some user-mode system services, such as DNS, DHCP, RPC and so on, so that from the container's point of view, the container gets its own unique services (usually running in their own svchost or other service host processes), which constitutes the so-called Container OS.

We can use the PowerShell command to view the Windows services started inside the container. There are about 27, as shown in the figure.

Unfortunately, although there is a remote desktop service in this version of Windows docker, it does not support remote desktop to container at present, so it is impossible to use the graphical interface of container application.

How many Windows services should be started for applications in the container? Because the specific role of Windows services is undocumented, it is not as concise as Linux. However, because these services take up almost no additional resources, there is no impact on container performance.

How Windows Container processes are isolated

Because in the latest test version, the permission settings for container objects have changed, only SYSTEM permissions can be viewed. So to see the process isolation of the Windows container, you need to start Winobj with SYSTEM privileges. This can be achieved with the help of Psexec:

Psexec-I-d-s winobj.exe

You can see that there is an extra Containers node in the Windows object space, and there are several GUID branches under it, and these GUID represent the containers in the system. Each container has its own independent namespace such as BaseNamedObjects, including mutex semaphores, memory Section, events, and so on. You can use PowerShell to view the GUID of the container, refer to the attached drawing.

Each container node has its own Session branch, such as this container, which occupies Session 2 of the Windows system. As shown in the attached picture.

This is why, regardless of using tools such as Task Manager, PowerShell, or Process Explorer, we see that all processes in the container are marked Session as 2 in the Windows host. With Process Explorer, we can see the process in the container, the opened Handle, which points to the Windows container object namespace we saw earlier.

At the same time, you can also see that the WindowStation where the container process is located is not WinSta0, but Service-0x0-3e7 $. The decimal 3e7 equals 999, which is the window station where the SYSTEM service is located. So container processes cannot have a graphical interface on the Windows desktop.

You can also look at a meaningful object, the host directory where the Windows container is mounted, similar to the Volume of the Linux container.

How to isolate the file system of the Windows container is the same as Linux. The Windows container image uses a hierarchical file system. After creating the container based on the image, it is equivalent to overwriting a read-write file system layer on the read-only hierarchical file system. If the file you want to modify is not in the uppermost read / write layer, find the target file along the hierarchical Layer, copy it to the read / write layer with COW (Copy on write: copy on write) and modify it.

Let's go to the following directory of the Windows host: C:\ ProgramData\ Microsoft\ Windows\ Hyper-V\ Containers. This directory lists all the container files created by the PowerShell command. There are folders and files under it, all named after the GUID of the container.

The 926A300B-ACB7-4B28-9D86-45BF82C1211C.vhdx is the uppermost read / write layer of the container and is a VHDX file. Keep in mind that the read-write layer is not a complete file system, it needs to form a Union File System with Image's existing file system. If you try to double-click the VHDX (you can only try to mount the container VHDX in the stopped state) and try to mount it to the Windows system, the following error message will pop up indicating that the virtual hard disk cannot be mounted.

The file system of Image is located in the following path (Container OS file of WindowsServerCore): C:\ ProgramData\ Microsoft\ Windows\ Images\ CN=Microsoft_WindowsServerCore_10.0.10586.0\ Files if you use Process Explorer to view the Dll accessed by the container process, you can see that the access path is the Container OS file.

If you create a process with the docker command, the principle is similar, but the read / write layer file system is located in the following path: C:\ ProgramData\ docker\ windowsfilter

Windows containers also have registries that are different from Linux, and Windows containers also need to consider the isolation of the registry. Like file system namespace isolation, registry namespace isolation is similar to Union FS. Let's go inside the Windows container folder created by the PowerShell command. C:\ ProgramData\ Microsoft\ Windows\ Hyper-V\ Containers\ 926A300B-ACB7-4B28-9D86-45B

Under this Hives folder, there are many files named * _ Delta, which is the registry hive file accessed by the container.

As can be seen from the naming method, the registry of the container, like the file system, also adopts a hierarchical architecture, and the top layer is a read-writable registry namespace. The Image image also has registry space for the read-only portion, with the following path. C:\ ProgramData\ Microsoft\ Windows\ Images\ CN=Microsoft_WindowsServerCore_10.0.10586.0\ Hives can see the contents of the read-write tier and read-only tier registry merged in Process Explorer.

The container created by the Docker command is similar in method and located in a path similar to the following:

Resource restrictions of Windows container as you know, Docker can call CGroup technology to limit the CPU, memory and other resources of Linux container. In the Windows container, the limitation of memory resources is realized by Windows's JO (Job object) technology. You can refer to the following techniques to limit the CPU, memory, and disk IO of the Windows container. For example, you can limit the memory of the container to a maximum footprint of 5GB. Https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_resources?f=255&MSPPError=-2147217396 then uses Process Explorer to open the properties dialog of any container process and switch to the Job tab.

You can see that all container processes share a job object, and the memory limit (Job Memory Limit) for that job object is 5GB. At this point, the study on "how many processes are there between Windows and Docker" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.