Thursday, 18 September 2014

Linux Containers Architecture RHEL 7

Initially thought to write about the docker command-line & configuration, later it was been advised by few of my colleagues that a brief introduction about Linux containers would be much helpful and hence I though to share below introductory article. 

Several components are needed for Linux Containers to function correctly, most of is them provided by the Linux kernel. Kernel namespaces ensure process isolation and cgroups are employed to control the system resources. SELinux is used to assure separation between the host and the container and also between the individual containers. Management interface forms a higher layer that interacts with the aforementioned kernel components and provides tools for construction and management of containers. 


Namespaces

The kernel provides process isolation by creating separate namespaces for containers. Namespaces allow you to create an abstraction of a particular global system resource and make it appear as a separated instance to processes within a namespace. Consequently, there are several containers which use same resource simultaneously without creating a conflict.

Control Groups (cgroups)


The kernel uses cgroups to group processes for the purpose of system resource management. Cgroups 
let you allocate CPU time, system memory, network bandwidth, or combinations of these among user-
defined groups of tasks.

SELinux

SELinux provides secure separation of containers by applying SELinux policy and labels.

Management Interface

RHEL 7 provides the Docker application as a main management tool for Linux 
Containers. Docker builds on the aforementioned kernel capabilities, adding several enhancement 
features, such as portability or version control. 

Containers

There are two general scenarios for using Linux containers in RHEL 7

1. Host Containers : a tool to carve out containers as lightweight application sandboxes, each runs the same user space as the host system, so all applications running in host container's share userspace and run time.



2. Image-based Containers : 


An application is packaged with individual run-time stack, which makes it 
independent from the host operating system. This way, you can run several instances of an application, 
each developed for a different platform. This is possible because the container run time and the 
application run time are deployed in the form of an image.



Image-based containers allow you to host multiple instances and versions of an application, with minimal overhead and increased flexibility. Such containers are not tied to the host-specific configuration, which makes them portable. These features are enabled by the Docker format for application packaging. 

docker command-line & configuration will be explained in next post.