Shulou(Shulou.com)06/03 Report--

"in-depth Analysis of Kubernetes-06 | vernacular Container Foundation (2): isolation and restriction"

1. Isolation

The main difference between virtual machine VM and container docker is that virtual machines rely on the Hypervisor layer for resource isolation and virtualization, while the implementation of containers depends on OS itself.

Without optimization, the virtual machine VM itself will occupy 100-200m of memory. In addition, if some underlying calls to the host are involved, they must be intercepted and processed by virtualization software. Here, there will be an additional layer of performance loss, which is mainly reflected in the network and disk Imax O

The isolation mechanism of the container is not perfect. The biggest problem is that the isolation is not complete, which is mainly reflected in:

(1) for example, when you execute commands such as free and top in the container, the data you see are all the information on the host, because proc is not isolated; another example is that many applications running in the container can not well identify the limitations of memory and CPU, such as java

(2) although each container can mount different operating system files through the mechanism of mount namespace isolation, the bottom layer is based on the same operating system (the same operating system kernel), which means that it is not possible to run linux containers on windows or higher versions of linux containers on low-version linux hosts.

2. Restrictions (cgroups)

Limit the resource usage limit of a process group through cgroups, such as memory, cpu, network bandwidth, disk, etc.

The operating interface that Cgroups exposes to users is the file system, that is, it is placed under the / sys/fs/cgroup path in the form of files and directories.

Root@ubuntu:~# mount-t cgroupcgroup on / sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd) cgroup on / sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on / sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on / sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime Cpuset) cgroup on / sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on / sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on / sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on / sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on / sys/fs/cgroup/perf_event type cgroup (rw Nosuid,nodev,noexec,relatime,perf_event) cgroup on / sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on / sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.