% ---------------------------- \subsubsection{How to isolate Applications} \begin{frame}[fragile] \frametitle{How to isolate Applications} \begin{itemize} \item System Information via Kernel API \begin{itemize} \item Syscalls \item PseudoFS (e.g. /proc and /sys) \item Filesystem tree \item Network Infrastructure (interfaces, components) \end{itemize} \item Namespaces \begin{itemize} \item Reduction of System Scope \item System View Virtualization \end{itemize} \item Controlgroup \begin{itemize} \item Partitioning of System Resources (CPU time, Memory, etc.) \end{itemize} \item Container \begin{itemize} \item Configuration Tools \item Use Namespaces and Controlgroups \item Application in a Box \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Namespaces} \begin{frame}[fragile] \frametitle{Namespaces} \begin{itemize} \item Mount: \\ Provide different filesystem \item PID: \\ Provide new Process-ID scope \item IPC: \\ Provide isolated inter process communication entities \item Network: \\ Provide isolated networking environment \item User: \\ Provide different User/UID mapping \item UTS: \\ Provide different hostname \end{itemize} \end{frame} % ---------------------------- \subsubsection{Container} % ---------------------------- \begin{frame}[fragile] \frametitle{Containers} \begin{itemize} \item Application Isolation \item Lightweight Virtualisation \item Based on cgroups and namespaces \item Easy namespace configuration and management \item Projects: \begin{itemize} \item Docker \item Linux-VServer \item OpenVZ \item Linux Container (LXC) \item \dots \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{LXC Handling} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Containers (LXC)} \begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} \begin{scriptsize} \begin{verbatim} # Start: Better for single commands lxc-execute -n cont_name [-f config] /bin/bash # Start: Better for container systems lxc-start -n cont_name [-f config] # Stop container lxc-stop -n foo \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Control container:} \begin{scriptsize} \begin{verbatim} # Pause/resume container (controlling group of processes) lxc-freeze -n cont_name lxc-unfreeze -n cont_name # Monitor container states lxc-monitor -n cont_name # Attach to container console lxc-console -n cont_name \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Container (LXC): Configuration I} \begin{beamerboxesrounded}[shadow=true]{Networking example:} \begin{scriptsize} \begin{verbatim} # # new hostname for container # lxc.utsname = myhostname # # Network vistualization # - private segment in container # - connected via br0 to device network # lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.hwaddr = 4a:49:43:49:79:bf lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Container (LXC): Configuration II} \begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} \begin{scriptsize} \begin{verbatim} # # new hostname for container # lxc.utsname = myhostname # # schedule container processes only on CPU 3 and 4 # lxc.cgroup.cpuset.cpus = 3,4 # # Deny access to device nodes other than # - /dev/null (c, 1, 3) # - /dev/urandom (c, 1, 3) # - /dev/sda5 (b, 8, 5) # lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = c 1:9 ro lxc.cgroup.devices.allow = b 8:5 rw \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] \frametitle{Container: Summary} \begin{itemize} \item Lightweight Virtualization \item Isolation of Applications \item Hide System Resources/Configuration \item Common: \begin{itemize} \item Shared Kernel \end{itemize} \item Solution: \begin{itemize} \item Viewability between Applications \item Sandbox (in combination with MAC) \end{itemize} \end{itemize} \end{frame}