diff --git a/slides/intro/Namespaces_Cgroups.md b/slides/intro/Namespaces_Cgroups.md index 981ef5ae..ff85a9ac 100644 --- a/slides/intro/Namespaces_Cgroups.md +++ b/slides/intro/Namespaces_Cgroups.md @@ -76,6 +76,8 @@ The last item should be done for educational purposes only! --- +class: extra-details, deep-dive + ## Manipulating namespaces - Namespaces are created with two methods: @@ -94,6 +96,8 @@ The last item should be done for educational purposes only! --- +class: extra-details, deep-dive + ## Namespaces lifecycle - When the last process of a namespace exits, the namespace is destroyed. @@ -114,6 +118,8 @@ The last item should be done for educational purposes only! --- +class: extra-details, deep-dive + ## Namespaces can be used independently - As mentioned in the previous slides: @@ -150,6 +156,8 @@ The last item should be done for educational purposes only! --- +class: extra-details, deep-dive + ## Creating our first namespace Let's use `unshare` to create a new process that will have its own UTS namespace: @@ -166,6 +174,8 @@ $ sudo unshare --uts --- +class: extra-details, deep-dive + ## Demonstrating our uts namespace In our new "container", check the hostname, change it, and check it: @@ -398,6 +408,8 @@ class: extra-details --- +class: extra-details, deep-dive + ## Setting up a private `/tmp` Create a new mount namespace: @@ -435,6 +447,8 @@ The mount is automatically cleaned up when you exit the process. --- +class: extra-details, deep-dive + ## PID namespace in action Create a new PID namespace: @@ -453,10 +467,14 @@ Check the process tree in the new namespace: -- +class: extra-details, deep-dive + 🤔 Why do we see all the processes?!? --- +class: extra-details, deep-dive + ## PID namespaces and `/proc` - Tools like `ps` rely on the `/proc` pseudo-filesystem. @@ -471,6 +489,8 @@ Check the process tree in the new namespace: --- +class: extra-details, deep-dive + ## PID namespaces, take 2 - This can be solved by mounting `/proc` in the namespace. @@ -570,6 +590,8 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details. --- +class: extra-details, deep-dive + ## User namespace challenges - UID needs to be mapped when passed between processes or kernel subsystems. @@ -686,6 +708,8 @@ cpu memory --- +class: extra-details, deep-dive + ## Cgroups v1 vs v2 - Cgroups v1 are available on all systems (and widely used). @@ -759,6 +783,8 @@ cpu memory --- +class: extra-details, deep-dive + ## Avoiding the OOM killer - For some workloads (databases and stateful systems), killing @@ -778,6 +804,8 @@ cpu memory --- +class: extra-details, deep-dive + ## Overhead of the memory cgroup - Each time a process grabs or releases a page, the kernel update counters. @@ -796,6 +824,8 @@ cpu memory --- +class: extra-details, deep-dive + ## Setting up a limit with the memory cgroup Create a new memory cgroup: @@ -823,6 +853,8 @@ The current process *and all its future children* are now limited. --- +class: extra-details, deep-dive + ## What's `<<<`? - This is a "here string". (It is a non-POSIX shell extension.) @@ -847,6 +879,8 @@ The current process *and all its future children* are now limited. --- +class: extra-details, deep-dive + ## Writing to cgroups pseudo-files requires root Instead of: @@ -874,6 +908,8 @@ echo $$ > $CG/tasks --- +class: extra-details, deep-dive + ## Testing the memory limit Start the Python interpreter: