Linux containers(lxc) are operating system level virtualization technique. You can find more details about virtualization from here.
The building block of lxc is cgroups and namespaces, which are linux kernel level features to resource control/limit and resource isolation of processes. Basically lxc is a user land tool which interface with kernel cgoups and namespaces to create and manage containers.
Anatomy of lxc
Its all about cgroups and namespaces.
Cgroups(control groups), are kernel mechanism for controlling/limiting the resources used by a process/group of processes. It also capable to measuring/monitoring the total resources used by a process/group of processes.
Following are the mainly involved resources
- Disk bandwidth
- Network bandwidth
How it control?
For an example consider I want to control resources of an application in following way,
- CPU 80% (maximum amount of CPU 80%)
- Memory 10 GB (maximum amount of memory 10 GB)
- Disk Read/Writes 70% (maximum 70% of disk read/writes)
- Network bandwidth 60% (maximum 60% of bandwidth)
In here I can create a group(via cgroup) and assign the above resource limits to that group.
Then I can add the applications(for an example mongodb, httpd etc) to this group. Applications added to this group knows nothing about this limits. It automatically handled outside the applications. Applications in this group cannot use more than 80% CPU, 10 GB of memory, 70% of disk R/W and 60% of network bandwidth.
How it monitor?
We can monitor resource consumption of any application assigned to a group.
Namespaces use to do process isolation(keep different process/group of processes in isolated environment). It gives isolated view of resources to process/group of processes. Linux kernel supports 6 types of namespaces.
1. pid namespaces
Linux kernel has maintained a single process tree. With pid namespace, it allows to have multiple nested process trees. Each process tree can have an entirely isolated set of processes. processes belonging to one process tree don’t know about the existence of parent or sibling process details.
Processes in child namespaces cannot access the details about its parent process. But processes in parent namespace have complete view of the processes in child namespace.
2. mnt namespace
Allow process/group of processes to have separate root and mounts. Its kind of similar to chroot, but its advance(chroot does not provide complete isolation, and its effects are restricted to the root mount point only)
3. net namespace
Allow process/groups of processes to see entirely different set of network interfaces.
4. ipc namespace
IPC namespace gives the process/group of processes to its own inter process communication resources(for an example System V IPC and POSIX messages)
5. uts namespace
UTS namespace isolates two specific identifiers of the system, nodename and domainname
6. user namespace
User namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace.
It provides mechanism to have separate users, groups and capabilities lists for a process/groups of processes.
lxc with cgroups and namespaces
Cgroups and namespaces can apply to any process running on a Linux system(for an example you can limit CPU usage of a process by using a cgroup)
When applying full set of cgroups(cpu, memory, disk r/w, network bw) and namespaces(pid, mnt, net, ipc, uts, user) its ended up with having group of process running on fully isolated environment with in linux system. These isolated environments are the linux containers…