Difference between revisions of "Linux Namespaces and Control Groups"
Jump to navigation
Jump to search
(Created page with "== Linux Namespaces and Control Groups == Namespaces has been brought to Linux kernel in version 3.8 ''namespaces'' provide security and isolation by controlling what a proce...") |
|||
Line 1: | Line 1: | ||
= Linux Namespaces = | |||
Namespaces has been brought to Linux kernel in version 3.8 | Namespaces has been brought to Linux kernel in version 3.8 | ||
Line 14: | Line 14: | ||
* Network - allows containers to have its own network stack; eg. ips, routing tables, fw rules, network devices | * Network - allows containers to have its own network stack; eg. ips, routing tables, fw rules, network devices | ||
* UTS :- Unix Time Sharing namespace, allows a single system to appear to have a different host and domain names to different processes. This namespace determines what hostname and domain name the process running inside that namespace sees. | * UTS :- Unix Time Sharing namespace, allows a single system to appear to have a different host and domain names to different processes. This namespace determines what hostname and domain name the process running inside that namespace sees. | ||
= Control Groups = | |||
;Control Groups (Cgroups): provide ''resource limitation'' and reporting capability within the container space. They allow for granular control over what host resources are allocated to container/s and when they are allocated. It's Linux kernel feature that limits the resource usage of a process or group of processes. | ;Control Groups (Cgroups): provide ''resource limitation'' and reporting capability within the container space. They allow for granular control over what host resources are allocated to container/s and when they are allocated. It's Linux kernel feature that limits the resource usage of a process or group of processes. |
Revision as of 23:33, 29 February 2020
Linux Namespaces
Namespaces has been brought to Linux kernel in version 3.8
namespaces provide security and isolation by controlling what a process can see, control groups provide resource management and reporting, by controlling what a process can access
- Namespaces provide
- isolation so that other pieces of the system remain unaffected by whatever is within the namespace. Docker uses namespaces of various kinds to provide the isolation that containers need in order to remain portable and refrain from affecting the remainder of the host system
Namespace Type (in kernel):
- User :- (1.12+ experimental) map container users to host users. This can break other isolation items; allows for 32 nested mappings
- PID :- Process ID - container encapsulate everything into a single process; provides processes with independent set of process IDs (PIDs); allow to avoid PID conflicts
- Mount - controls volume mounts visible to each container; similar to chroot
- IPC :- Inter-Process Communication - eg. swarm services allowed to communicate with containers but not outside; isolates system resources from a process, while giving processes crested IPC namespace visibility to each other allowing for interprocess communication
- Network - allows containers to have its own network stack; eg. ips, routing tables, fw rules, network devices
- UTS :- Unix Time Sharing namespace, allows a single system to appear to have a different host and domain names to different processes. This namespace determines what hostname and domain name the process running inside that namespace sees.
Control Groups
- Control Groups (Cgroups)
- provide resource limitation and reporting capability within the container space. They allow for granular control over what host resources are allocated to container/s and when they are allocated. It's Linux kernel feature that limits the resource usage of a process or group of processes.
Common Control Groups
- CPU
- Memory
- Network Bandwidth
- Disk
- Priority