Containers

From COMP15212 Wiki
Revision as of 10:02, 5 August 2019 by gravatar W81054ch [userbureaucratinterface-adminsysopPHRhYmxlIGNsYXNzPSJ0d3BvcHVwIj48dHI+PHRkIGNsYXNzPSJ0d3BvcHVwLWVudHJ5dGl0bGUiPkdyb3Vwczo8L3RkPjx0ZD51c2VyPGJyIC8+YnVyZWF1Y3JhdDxiciAvPmludGVyZmFjZS1hZG1pbjxiciAvPnN5c29wPGJyIC8+PC90ZD48L3RyPjwvdGFibGU+] (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Depends on SecurityProcessesVirtual Machines

Containers” is a generic term for virtual computers formed within a host system. This form of virtualisation is used to “contain” access for some users or processes to using certain sets of files or devices. In particular, if a server machine is notionally running many copies of the same operating system, containers can be used to make it look like many different (virtual) machines whilst the hardware and the operating system code is shared.

The container therefore looks like a virtual machine from the user perspective but does not require the expense of a separate kernel for each machine.

containers

The container will probably have its own IP address and its own view of the filing system, in a manner like the earlier Unix chroot (see below) The apparent truncation of the file system is probably the most visible effect of the container for the user.

The container constrains its contents which provides some system security. It also provides (and encloses) the environment in which its contents run. This makes containers (potentially) more portable – including reducing the danger of things ceasing to work when some (apparently) remote set up is upgraded.

A container only needs to hold its own set of resources and processes. Being ‘lighter weight’ than a full-scale virtual machine it is easier (faster!) to port or copy. Thus a modern web-server might ‘contain’ each user, creating and destroying containers for the session.

Because different containers on the same physical machine are logically isolated they cannot communicate in ‘ordinary’ interprocess ways; they need to regard themselves as separate, networked computers – although they may be able to share files. The network software may be ‘clever’ enough to isolate the containers from the outside world, even if they are using (e.g.) IP to communicate. (NFS will allow computers to share file store across a network too, of course.)

Unlike a hypervisor-based system, all the containers must run under the same host O.S.

Docker

Docker is a major proponent of containerised software. Whilst it is not the purpose of this article to endorse any particular company there are some useful figures there.

chroot

Although it does not provide complete “containerisation” the Unix chroot system call (only allowed to the root) will redefine the root (“/”) of the apparent file tree. This partial restriction can contribute to security, for instance by creating a “honeypot”.

However chroot (an old mechanism) alone cannot provide full security; a root user inside the subtree could mount another disk in its /dev/… or /proc/ to be able to see processes outside this space. It is more of a convenience than protection.

chroot

LXC

LinuX Containers (overview) are still fairly new, but liable to increase in prominence. (They are just one example; there are plenty of other approaches and the ‘standard’ is yet to settle out.)

Acknowledgement: Dr. Dave Gilbert: Red Hat Inc.    

Also refer to: Operating System Concepts, 10th Edition: Chapter 18.5.8, pages 718-719


Articles on Concepts
About this resource • Application Binary Interface (ABI) • Arrays • Atomicity • Boot • Cache • Cacheability • Caching • Concepts • Containers • Context • Context Switching • Deadlock • Direct Memory Access (DMA) • Environment Variables • Exceptions • File Attributes • Fragmentation • Hypervisor • Interrupts • Operation Ordering • PATH • Pointers • Process Scheduling • Processes • Processor Privilege • Queues • Real Time • Reentrancy • Relocatable Code • Spooling and Buffering • Synchronisation • Thrashing • Threads • Virtual Memory • Virtualisation
Articles on Processes
About this resource • Atomicity • Containers • Context • Context Switching • Daemons • Fork Unix • Hypervisor • Idle • Interprocess Communication • Multi Threading • Mutual exclusion • Pipes • Pointer Arithmetic • Process Control Block (PCB) • Process Priority • Process Scheduling • Process States • Processes • Queues • Queues Extra • Race Conditions • Real Time • Resources • Scheduler • Signal and Wait • Sleep • Starvation • Synchronisation • Thrashing • Threads • Unix Signals
Articles on Security
Buffer Overflow • Containers • Context • Disk Partition • File Attributes • File Permissions • Journalling File System • Mutual exclusion • Processor Privilege • SETUID • Security
Articles on User
"Everything is a File" • Application Binary Interface (ABI) • Arrays • Boot • Buffer Overflow • Containers • Daemons • Disk Partition • Dynamic Memory Allocation • Emulator traps • Environment Variables • Errors • Exceptions • File Attributes • File Locking • File Permissions • Introduction to Operating Systems • Journalling File System • Links • Locks • Man(ual pages in Unix) • Memory Mapped Files • Monitoring • Network File System (NFS) • PATH • Pipes • Pointers • Relocatable Code • Reset • SETUID • Shell • Sockets • Spooling and Buffering • Streams • Structures • Superuser • System Calls • Unix Signals • User • Using Peripherals
Retrieved from "https://wiki.cs.manchester.ac.uk/COMP15212/index.php?title=Containers&oldid=972"
Powered by MediaWiki
Powered by Semantic MediaWiki