Knowledge, OpenStack

Containers, Docker, NameSpaces, CGroups and OpenStack

Docker has recently celebrated two years and based on the Docker OpenStack Wiki page “It is expected the driver will return to mainline Nova in the Kilo release.” small_v-transThe driver let you treat a Docker Linux container in the same way you treat a VM. If you wonder what is the difference between the two then you are asking a good question. A VM is an abstraction of physical hardware while a container is an abstraction performed in the operation system. More about that here. You can have an Ubuntu OS container running inside Fedora or Mac OS X or even Windows 8. Confused? I’ll try to help you with that in this blog post.

What is Docker?

Docker is one kind of a Linux container. You can find more information about LXC and other Linux containers here. Think of a lightweight and isolated software entity running inside your OS and sharing the kernel with it. By isolated I mean a software entity with its own network, users, PID and more. By sharing kernel I mean a software entity that piggybacking (or relying on) the kernel in its host whether it’s Linux, Mac OS X or Windows. The last two are available by installing boot2docker that provide the kernel to the host OS.

Containers rely on cgroups and namespaces Linux technologies. cgroups (abbreviated from control groups) is a Linux kernel feature that provides isolation to resources (CPU, memory, disk I/O, network). In that respect running the top command will show different results inside a container than running the same command outside of the container, on the host machine.

Namespaces are isolation areas. For example Neutron uses network namespaces for routers and dhcp servers running in the network node. Running ip netns will show what network namespaces are currently running in our system.

$ ip netns

running ifconfig or route -n will show different results in a network namespace than running the same command on the host machine. That said, running the ps command to check the current processes running in our systems will show same results in a network namespace as in the host machine due to isolation being only in the networking aspect.

Docker takes advantage of several namespaces to provide isolation from the host machine. Inside a Docker container you’ll have different process trees, network, user IDs and mounted file systems than in the host machine. Docker requires kernel 3.8 as its minimum. To check out if your kernel is ready you may want to run the the lxc-checkconfig command. See the output below for kernel 3.13.0:

ubuntu@docker-instance1:~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-46-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled 

Using Docker

Now that you have more understanding of what Docker is all about let’s get down to business. In my next blog post I’ll describe basic usage of Docker.


One thought on “Containers, Docker, NameSpaces, CGroups and OpenStack

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s