Reprint please indicate the source ： Grape city official website , Grape city provides professional development tools for developers 、 Solutions and services , Enabling developers .
Last time we talked about PaaS The history of development , from Cloud Foundry A dismal exit , To Docker Coronation , It is Docker“ A little bit ” Improvement , There’s a butterfly effect , Incited the whole world PaaS The open source project market is surging .
In order to better understand “ Containers ” This PaaS The most core technology in the world , This article will start with a process , Tell you what a container is ,Cloud Foundry etc. PaaS“ Qianlang ” How to implement the container .
process vs Containers
With Linux Operating system as an example , The process running in the computer is after the program is executed , Binary files from disk , To the memory 、 register 、 A collection of related device states used by stack instructions and so on , It’s a dynamic representation of data and state synthesis . The goal of container technology is to isolate and limit the state and data of a process . so to speak , The essence of a container is Linux A special process in . This particular process , Mainly by Linux The system provides two mechanisms to achieve , Let’s review .
Linux Namespace yes Linux A function of the kernel , This function partitions kernel resources , So that a set of processes can see a set of resources , And another set of processes sees another set of resources . This function works by having the same namespace for a set of resources and processes , But they refer to different resources . Resources can exist in multiple spaces . An example of such a resource is a process ID, Host name , user ID, File names and some names related to network access and interprocess communication . The types are listed below ：
- Mount namespaces
- UTS namespaces
- IPC namespaces
- PID namespaces
- Network namespaces
- User namespaces
stay Linux Operating system ,PID==1 This process is called a super process , It’s the whole process tree root, Responsible for generating all other user processes . All processes will be suspended under this process , If the process exits , So all the processes are kill.
Isolation & Limit
Just now we mentioned isolation and restriction , What do you mean specifically ？
With Docker For example （Cloud Foundry Empathy , The latter is not installed on my machine ）, We can do the following to create a simple image ：
$ docker run -it busybox /bin/sh
The execution of this statement is ： use docker Run a container , The image name of the container is busybox, And the command to execute after running is /bin/sh, and -it Parameter representation requires standard input stdin And assign a text I / O environment tty Interact with the outside . By this order , We can go inside a container , Execute in container and host respectively top command , You can see the following results ：
（ Execute inside and outside the container top The return result of the statement ）
You can find , There are only two running processes left in the container . One is the main process PID==1 Of /bin/sh Super process , The other is what we run top. All the other processes in the host are invisible in the container —— This is isolation .
（ Isolated top process , Picture from the Internet ）
Original , Whenever we run a /bin/sh Program , The operating system assigns it a process number , such as PID100. And now , We’re going to pass Docker Put this /bin/sh The program runs in a container , Now ,Docker It will be in this PID100 Create with a “ Smoke screen ”, Let him never see before 99 A process , In this way, the program running in the container will treat itself as PID==1 The super process of .
And this mechanism , In fact, it is a manipulation of the process space of the isolated program , Although shown in the container PID1, But in the original host , It’s actually the same PID100 The process of . The technology used is Linux Medium Namespace Mechanism . And this mechanism , In fact, that is Linux An optional parameter when creating a process . stay Linux in , The function to create a thread is （ There’s no mistake here. It’s just threads ,Linux Threads are implemented in processes , So it can be used to describe processes ）：
int pid = clone(main_function, stack_size, SIGCHLD, NULL);
If we add a parameter to this method, for example CLONE_NEWPID：
int pid = clone(main_function, stack_size, CLONE_NEWPID | SIGCHLD, NULL);
Then the new process will see a new process space , In this space , Because there’s only one process in this space , So its own PID Is equal to 1 了 .
Such a process is Linux The most basic isolation of containers is realized .
Only have namespace Isolated containers are like programmers without computers , It’s incomplete .
If we just isolate and don’t limit , The programs in the cage still occupy system resources , Access is still free . In order to add resource constraints to programs with isolation , The second technology is used ：cgroups
cgroups It was originally google The engineer of is in 2006 A program developed in , The full name is Linux Control Group, yes Linux The upper limit used in the operating system to limit the resources that a process group can use , Include CPU、 Memory 、 disk 、 Network bandwidth and other functions .
adopt Cgroups Exposed to users API file system , Users can modify the value of the file to operate Cgroups function .
（ By cgroup Limited process , Picture from the Internet ）
stay Linux System （Ubuntu） You can execute the following command to view CgroupsAPI file ：
mount -t Cgroups
（cgroup file system ）
You can see from the above picture that , There are many problems in the system, including cpu、 Memory 、IO Such as multiple Cgroups The configuration file .
We use CPU As an example to illustrate the following Cgroups This function . Yes CPU There are two parameters that need to be introduced to limit cfs_period and cfs_quota, In order to give the movable type a common cloud Docker Procedural limitations within CPU when , These two parameters are often manipulated . These two parameters are used in combination , It means in the length of cfs_period Within time , Program group can only be divided into total amount of cfs_quota Of CPU Time . in other words cfs_quota / cfs_period == cpu Use the upper limit .
If you want to limit a process CPU Use , Can be in /sys/fs/Cgroups/cpu Under the table of contents , Execute the following command to create a folder container：
/sys/fs/Cgroups/cpu/ > mkdir container
here , We can see that the system automatically container A series of CPU Restricted parameter file , This is a Linux The system automatically generates , It means that our success is CPU Created a control group container：
（ default CPU List of resource files ）
For display CPU The actual effect of restrictions , Let’s execute a dead loop created with the following script ：
while : ; do : ; done &
We are top In the command result, you will see that the returned process is 398, Because of the dead cycle ,cpu The occupancy rate is 100%：
（ The process of the dead cycle takes up 100% CPU）
At this time , Let’s take another look container In the catalog cpu.cfs_quota_us and cpu.cfs_period_us：
（ By default CPU The limiting parameter of ）
Here’s what it looks like when there’s no limit .cfs_quota_us by -1 There is no limit to the explanation CPU The upper operating limit of . Now let’s change this value ：
echo 20000 > /sys/fs/Cgroups/cpu/container/cpu.cfs_quota_us
And then the previous process 398 Write to this control group tasks In file ：
echo 398 > /sys/fs/Cgroups/cpu/container/tasks
Then top once , I found that the dead cycle just now CPU Usage becomes 20% 了 ,CPU Restrictions on the use of resources come into effect .
（ Use cgroup Limit CPU The dead cycle process of usage ）
above , It is through Cgroups The principle that the function limits the container . Empathy , We can use this method , Memory for a process 、 Bandwidth and so on , If the process is a container process , A resource controlled container can basically be displayed in front of you. In fact , In the early days of the cloud age ,Cloud Foundry etc. “ Qianlang ” This is the way to create and manage containers . Compared to the latecomers ,Cloud Foundry Wait for the isolation and limitation of the container , It’s relatively simple 、 Easy to understand , But in some scenarios, it’s hard to avoid constraints .
Here’s a special explanation , Only Linux The container running in is the result of simulation by limiting the process ,Windows and Mac The lower container , It’s all through Docker Desktop And so on , Operating virtual machine simulation out of “ real ” Virtual container for .
This section starts from the principle of container and Linux In this paper, we start with the technology of container isolation and restriction , In the early days of the cloud era Cloud Foundry etc. Paas The container principle of the platform . The next section will continue to introduce Docker stay Cloud Foundry What changes have been made to the container base , Is how to solve Cloud Foundry Fatal short board .
If you want to know Docker How to stir up the storm ,Docker What’s the difference between this container and traditional virtual machine ？
Please look forward to the next , We continue to nag .