C3

Question 1

why would we want to use containers?

Answer 1

Virtual machine instances are typically set up to just run a simple application, for which we don’t need an entire fully featured OS (with local file system, multi-user support and dual mode operation) => why boot a full OS for a single application?

containers: virtualize only the environment offered by the OS, instead of virtualizing a full system.
OS environment: root file system, process tree and network connection.

=> make a single OS offer multiple of such environments (containers), isolated from each other with each its own root file system

Question 2

containers: what is the difference with hypervisors (whole-system virtualization)?

Answer 2

• containers do not run a separate kernel, so all containers run in user mode and don’t execute priviledged instructions
• containers are smaller than fully fledged OS images
• faster boot times
• isolation not as stringent: if the kernel is compromised from a
  container, the other containers can potentially be accessed.

Question 3

we need a set of specific kernel features to implement containers

Answer 3

• chroot: change root file system (restrict the container to a subtree of the file system tree)
• CGroups: manage allocation of system resources such as
  CPU time, memory and network bandwidth
• seccomp: security feature to limit the system calls that can
  be done from the container to the kernel
• kernel namespaces: isolate processes running in a container
  from anything outside of the container

Question 4

we need a set of specific kernel features to implement containers

Answer 4

• chroot: change root file system (restrict the container to a subtree of the file system tree)
• CGroups: manage allocation of system resources such as
  CPU time, memory and network bandwidth
• seccomp: security feature to limit the system calls that can
  be done from the container to the kernel
• kernel namespaces: isolate processes running in a container
  from anything outside of the container (eg. PID namespace)

Question 5

what is Docker?

Answer 5

a tool to manage containers locally and to support development and creation of containers

Docker uses containerd (high-level container runtime), which uses runc (low-level container runtime)

Question 6

refresher: what are virtual machines and what are containers?

Answer 6

virtual machines: creating efficient and isolated duplicates of real machines

containers: isolated execution environments for applications

Question 7

IaaS data storage

Answer 7

storage to support machine virtualization

Question 8

IaaS data storage: what do we need to store?

Answer 8

• VM disk images of active/suspended virtual machines
• container images
• VM image templates

Question 9

IaaS data storage: how can we store this?

Answer 9

• image files: we can store all contents of a block device
  within a single (large) file
• block storage: contents of a block device are stored within
  a remote block device
• object: store image file as object

Question 10

IaaS data storage: where do we store this?

Answer 10

2 options:
- on VM host nodes (potentially better performance)
- off VM host nodes (on dedicated storage system, faster/easier migration and scaling)