L3 - Virtualization 2/2 Flashcards
What are the two building blocks of OS-level virtualization?
cgroups and namespaces
–> they allow the guest OS to run on top of the host OS
What is a namespace?
a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. Resources may exist in multiple spaces.
–> key feature is that they isolate processes from each other
What are some examples of namespaces?
- process IDs
- hostnames
- user IDs
- file names
- names associated with network access
- interprocess communication
What is a user namespace?
A user namespace has its own set of user IDs and group IDs for assignment to processes. In particular, this means that a process can have root privileges within its user namespace without having it in other user namespaces.
What is a process ID (PID) namespace?
Assigns a set of PIDs to processes that are independent from the set of PIDs in other namespaces.
What is a network namespace?
A Network Namespace (netns) is a Linux kernel feature that allows for the isolation of network stack and interfaces between multiple processes or containers running on a single host. Each network namespace has its own set of network interfaces, routing tables, firewall rules, and other network-related settings, which means that each process or container inside a namespace will have its own unique view of the network.
What is a mount namespace?
- a mount point is a directory or file at which a new file system is made accessible
A mount namespace has an independent list of mount points seen by the processes in the namespace. You can mount and unmount filesystems in a mount namespace without affecting the host filesystem.
What is a cgroup?
It is a control group. It is a Linux kernel feature that limits, accounts for, and isolates a collection of processes’ resource usage (CPU, memory, disk I/O, network, and so on ).
What is the difference btw. namespace and cgroups?
Namespaces provide isolation of system resources, and cgroups allow for fine‑grained control and enforcement of limits for those resources.
cgroups = limits how much you can use
namespaces = limits what you can see
3 main tasks of the cgroup on a group of processes?
- limit resources
- isolate resources
- audit the utilization of resources
Why are cgroups relevant for containers?
Cgroups are key components of containers because they are often multiple processes running in a container that you need to control together.
Types of cgroups
memory cgroups –> limit memory size
cpu cgropus
blkio cgroup
cpuset cgroup
device cgroup
freezer cgroup
What is the blkio cgropu about?
Provide block storage of machine
What is the cpuset cgroup?
Provides a set of cpu
What is the device cgroup?
About allowing device accessibility