February 3rd, 2021
Hello everyone, when I started to write daily like 1 month ago one of the first things that I've covered was the question of "what is a container?". I believe that topic is one of the most attractive topics around the tech to to this day. Today I'll briefly cover 2 technologies, Namespaces and Cgroups. Those are the main force behind the containers as we know of today.
Earlier in the former post we talked about what can a container provide to us and why they are so useful, you can check the post I mentioned from here. So what's up with those 2 that I've just mentioned about and why I referred them as the main force behind the container technologies in general, let's figure it out.
I'll just copy here what is says on the original manual of namespaces then I'll explain what that really means in plain English.
"A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers."
So what's that supposed to mean, that basically means namespaces are a kernel feature that allows you to set restrictions on what a group of processes can see about the rest of the system. So it's being used to create isolation, the famous isolation part that everyone talks about all the time.
There are different types of namespaces I'll cover some of them, if you want to learn about every single one of them you can go ahead and check the original manual here.
PID Namespaces: With PID namespaces you can isolate the PID namespace so different processes in different namespaces can take the same process id (PID) which is as you might probably know not possible when 2 processes are aware of each other. When you create a new PID Namespace the new processes always starts at 1 just like a normal system. In those new namespace we can create other processes with fork, vfork and clone functions. All the new processes are going to be unique in their new system without understanding what's really going on in the host OS(operating system) or other namespaces.
Mount Namespace: In a Linux system when we mount or unmount a filesystem all the other processes can observe that process, with Mount Namespace we can basically limit that. This isolation provides us an ability to mount different file systems w/o effecting the host.
Network Namespaces: I'll just copy here the formal definition and then I'll explain what the use of it for real "Network namespaces provide isolation of the system resources associated with networking: network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewall rules, the /proc/net directory". So that basically allows us to create multiple containers that can listen on the same port, because they are isolated and they do not aware of each other's existence. In a Linux system normally all the processes can reach the information about the IP addresses with network namespaces that can be easily limited.
Cgroups are basically the technology that allows us to set resource usage limits on Linux processes. Many resources can be limited by using Cgroups, I'll touch on some and link the manual for the ones who wants a in depth look.
cpu_set: It defines which process can use which CPU/CPUs
memory: Basically limits the memory usage.
pid: Normally a process can have as many child processes as it wants, with pid we can limit that.
freezer: The freezer can can stop and resume all processes in a cgroup.
You can check all the groups from here.
I also saw that simple yet understandable limitation example over a university system on this website. I'll share it below here.
Alright everyone that's it for today, I hope that it was an helpful guide for you. Until next time, take care... :)