Reputation: 528
OS containers isolation vs process isolation
How is the isolation provided by operating system containers different than that provided by the kernel between many processes?
Each process is already isolated from any other process running on the same kernel. How is this isolation different than the isolation provided by containers?
Upvotes: 20
Views: 4191
Answers (3)
Reputation: 16307
Two mechanisms make this possible.
- The first one, Linux Namespaces, makes sure each process sees its own personal view of the system (files, processes, network interfaces, hostname, and so on).
- The second one is Linux Control Groups (cgroups), which limit the amount of resources the process can consume (CPU, memory, network bandwidth, and so on).
ISOLATING PROCESSES WITH LINUX NAMESPACES
By default, each Linux system initially has one single namespace. All system resources, such as filesystems, process IDs, user IDs, network interfaces, and others, belong to the single namespace. But you can create additional namespaces and organize resources across them. When running a process, you run it inside one of those namespaces. The process will only see resources that are inside the same namespace. Well, multiple kinds of namespaces exist, so a process doesn’t belong to one namespace, but to one namespace of each kind.
The following kinds of namespaces exist:
Mount (mnt)
Process ID (pid)
Network (net)
Inter-process communication (ipc)
UTS
User ID (user)
Each namespace kind is used to isolate a certain group of resources. For example, the UTS namespace determines what hostname and domain name the process running inside that namespace sees. By assigning two different UTS namespaces to a pair of processes, you can make them see different local hostnames. In other words, to the two processes, it will appear as though they are running on two different machines (at least as far as the hostname is concerned).
Likewise, what Network namespace a process belongs to determines which network interfaces the application running inside the process sees. Each network interface belongs to exactly one namespace, but can be moved from one namespace to another. Each container uses its own Network namespace, and therefore each container sees its own set of network interfaces.
This should give you a basic idea of how namespaces are used to isolate applications running in containers from each other.
LIMITING RESOURCES AVAILABLE TO A PROCESS
The other half of container isolation deals with limiting the amount of system resources a container can consume. This is achieved with cgroups, a Linux kernel feature that limits the resource usage of a process (or a group of processes). A process can’t use more than the configured amount of CPU, memory, network bandwidth, and so on. This way, processes cannot hog resources reserved for other processes, which is similar to when each process runs on a separate machine.
Upvotes: 0
Reputation: 4677
Each process is already isolated from any other process running on the same kernel.
Are they? How does kill -9 work? I can just reach out and zap any process I feel like, if I have enough permissions.
Container technologies like Docker, rkt, and LXC utilize two linux kernel features in particular to achieve "containerization".
The first is namespaces. From the opening blurb of the wikipedia entry:
Namespaces are a feature of the Linux kernel that isolate and virtualize system resources of a collection of processes. Examples of resources that can be virtualized include process IDs, hostnames, user IDs, network access, interprocess communication, and filesystems. Namespaces are a fundamental aspect of containers on Linux.
So I can use namespaces, for example, to restrict what a process can see or who a process can talk to, at the kernel level. I can configure interprocess communication and file system visibility in such a way that my kill -9 command cannot see the processes that live in a different namespace, and as such can't just kill them willy-nilly.
Second is control groups, which allows for resource limits and isolation. Cgroups let us tell a process "you can only have 512MB of memory and 10% host CPU usage". If I have some ugly command that is capable of using 99% of the CPU, the other processes on the host will not be isolated against having to share 1% of the CPU every now and then. With Cgroups, I can change that though. I can tell my ugly command "you only get 25% of the CPU at any given time" and that's all it can have.
The thing to remember here, these are linux kernel features, not some bolted-on system manager tool or other piece of software. Docker/rkt/LXC are platforms and tooling wrapped around these two core features of the kernel, they simply utilizing what is already there at the very basic level, making it more usable.
Upvotes: 12
Reputation: 149
If by "operating system containers" you mean something like Dockers, my anwser is on that.
On Dockers you can limit memory and CPU usage for each containers you setup on the same machine. Here's a link that explains how and some of the various possibilities:
https://docs.docker.com/engine/admin/resource_constraints/
While on processes you can do something similar with Job Objects, they need to be coded in you app.
https://msdn.microsoft.com/en-us/library/ms684161(VS.85).aspx
Hope I understood well the question.
Upvotes: 1
Related Questions
- Are docker containers totally isolated from the host machine OS?
- OS Container vs Application Container
- Docker OS / application containers
- How are operating system containers different from virtual machines?
- docker os container vs app container
- Docker container isolation, does it care about underlying Linux OS?
- Performance isolation of containers (on Linux)?
- How is Docker different from a normal OS process?
- Application Isolation with Linux Containers?
- Separate containers vs One container - Unity