github/container.training
1
0
Fork 0
mirror of https://github.com/jpetazzo/container.training.git synced 2026-05-06 00:46:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Opt-out a bunch of slides in the deep dive section

Browse Source
This commit is contained in:
Jerome Petazzoni
2018-06-04 05:49:24 -05:00
parent 14eb19a42b
commit 30ca940eeb
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
slides/intro/Namespaces_Cgroups.md
View File

@@ -76,6 +76,8 @@ The last item should be done for educational purposes only!
---
class: extra-details, deep-dive
## Manipulating namespaces
- Namespaces are created with two methods:
@@ -94,6 +96,8 @@ The last item should be done for educational purposes only!
---
class: extra-details, deep-dive
## Namespaces lifecycle
- When the last process of a namespace exits, the namespace is destroyed.
@@ -114,6 +118,8 @@ The last item should be done for educational purposes only!
---
class: extra-details, deep-dive
## Namespaces can be used independently
- As mentioned in the previous slides:
@@ -150,6 +156,8 @@ The last item should be done for educational purposes only!
---
class: extra-details, deep-dive
## Creating our first namespace
Let's use `unshare` to create a new process that will have its own UTS namespace:
@@ -166,6 +174,8 @@ $ sudo unshare --uts
---
class: extra-details, deep-dive
## Demonstrating our uts namespace
In our new "container", check the hostname, change it, and check it:
@@ -398,6 +408,8 @@ class: extra-details
---
class: extra-details, deep-dive
## Setting up a private `/tmp`
Create a new mount namespace:
@@ -435,6 +447,8 @@ The mount is automatically cleaned up when you exit the process.
---
class: extra-details, deep-dive
## PID namespace in action
Create a new PID namespace:
@@ -453,10 +467,14 @@ Check the process tree in the new namespace:
--
class: extra-details, deep-dive
🤔 Why do we see all the processes?!?
---
class: extra-details, deep-dive
## PID namespaces and `/proc`
- Tools like `ps` rely on the `/proc` pseudo-filesystem.
@@ -471,6 +489,8 @@ Check the process tree in the new namespace:
---
class: extra-details, deep-dive
## PID namespaces, take 2
- This can be solved by mounting `/proc` in the namespace.
@@ -570,6 +590,8 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details.
---
class: extra-details, deep-dive
## User namespace challenges
- UID needs to be mapped when passed between processes or kernel subsystems.
@@ -686,6 +708,8 @@ cpu memory
---
class: extra-details, deep-dive
## Cgroups v1 vs v2
- Cgroups v1 are available on all systems (and widely used).
@@ -759,6 +783,8 @@ cpu memory
---
class: extra-details, deep-dive
## Avoiding the OOM killer
- For some workloads (databases and stateful systems), killing
@@ -778,6 +804,8 @@ cpu memory
---
class: extra-details, deep-dive
## Overhead of the memory cgroup
- Each time a process grabs or releases a page, the kernel update counters.
@@ -796,6 +824,8 @@ cpu memory
---
class: extra-details, deep-dive
## Setting up a limit with the memory cgroup
Create a new memory cgroup:
@@ -823,6 +853,8 @@ The current process *and all its future children* are now limited.
---
class: extra-details, deep-dive
## What's `<<<`?
- This is a "here string". (It is a non-POSIX shell extension.)
@@ -847,6 +879,8 @@ The current process *and all its future children* are now limited.
---
class: extra-details, deep-dive
## Writing to cgroups pseudo-files requires root
Instead of:
@@ -874,6 +908,8 @@ echo $$ > $CG/tasks
---
class: extra-details, deep-dive
## Testing the memory limit
Start the Python interpreter: