“Low Fat”Virtualization

6e Séminaire fribourgeoisLinux embarqué

Dr Jacques SupcikEcole d’ingénieurs et d’architectes de Fribourg

8 mai 2014

“Classical”Virtualization…

Effective…but not light

Virtualization needs a lotof resources

Virtualization works bestwith special hardware

So what about a more“skinny” virtualization

Types of Virtualization

chrootThe chroot system call was introduced during development ofVersion 7 Unix in 1979 is was available since 1982(32 years old).Provides (partial) file system isolation only.“root” users can still escape chroot.requires some manual linking (or copying) of system files.

BSD's “Jail”

BSD's “Jail”Available since 1998 (16 years old).Provides disk and CPU quotas, memory limits, network androot privilege isolation.

OpenVZ

Available since 2005 (9 years old).

Requires a special kernel.

Adds I/O rate limiting, partition checkpointing and live

migration.

Still used by hosting companies to provide virtual private

servers.

OpenVZ

Source: OpenVZ Web site

Container looks like a normal Linux system. It has standard

startup scripts, software from vendors can run inside

Container without OpenVZ-specific modifications or

adjustment.

A user can change any configuration file and install additional

software.

Containers are fully isolated from each other (file system,

processes, Inter Process Communication (IPC), sysctl

variables).

OpenVZ

Source: OpenVZ Web site

Containers share dynamic libraries, which greatly savesmemory.Processes belonging to a Container are scheduled forexecution on all available CPUs. Consequently, Containers arenot bound to only one CPU and can use all available CPUpower.

LXC Linux Container

LXC Linux ContainerAvailable since 2008 (6 years old).Relies on the Linux kernel “cgroups” functionality that wasreleased in version 2.6.24.Full file system isolation and root privilege isolation sinceversion 1.0 (February 2014 / Linux kernel 3.8)No partition checkpointing and no live migration!“chroot on steroids”.

Cgroups (control groups)Name space Isolation

PID namespace : Isolation for the allocation of processidentifiers.Network namespace : Isolates the NIC, iptables rules, routing,etc.“UTS” namespace : Allows changing the hostname.Mount namespace : Allows creating a different file systemlayout.IPC namespace : Isolates the System V IPC.

DockerAvailable since 2013 (1 year old young).Based on LXC.Is currently under heavy development. Docker should not beused in production (yet).“Docker is an open-source engine that automates thedeployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere.”

Docker

If you want to try “Docker” you can easilly do it on a “Droplet” at

Digital Ocean. (5$ for 1 month)

Thank You!

Referenceshttp://japanese.lingualift.com/blog/what-sumo-eat-wrestlers-diet/http://community.futureshop.ca/t5/Tech-Blog/How-to-build-a-PC-How-to-upgrade-your-RAM/ba-p/426769https://en.wikipedia.org/wiki/Western_Digital_Raptorhttp://www.pcper.com/news/General-Tech/ARM-aims-make-TSMC-Fab-choice-their-customershttp://www.reflexandwellnessclinic.com/projects/services/https://en.wikipedia.org/wiki/Chroothttp://sysadvent.blogspot.ch/2010/12/day-14-freebsd-jails.htmlhttp://openvz.org/User_Guide/OpenVZ_Philosophyhttps://linuxcontainers.org/http://www.linuxadvocates.com/2013/04/linux-containers-and-why-they-matter.htmlhttps://www.docker.io/https://en.wikipedia.org/wiki/Operating_system-level_virtualizationhttps://en.wikipedia.org/wiki/LXC