L3 - Virtualization 2/2

Question 1

What are the two building blocks of OS-level virtualization?

Answer 1

cgroups and namespaces
–> they allow the guest OS to run on top of the host OS

Question 2

What is a namespace?

Answer 2

a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. Resources may exist in multiple spaces.

–> key feature is that they isolate processes from each other

Question 3

What are some examples of namespaces?

Answer 3

• process IDs
• hostnames
• user IDs
• file names
• names associated with network access
• interprocess communication

Question 4

What is a user namespace?

Answer 4

A user namespace has its own set of user IDs and group IDs for assignment to processes. In particular, this means that a process can have root privileges within its user namespace without having it in other user namespaces.

Question 5

What is a process ID (PID) namespace?

Answer 5

Assigns a set of PIDs to processes that are independent from the set of PIDs in other namespaces.

Question 6

What is a network namespace?

Answer 6

A Network Namespace (netns) is a Linux kernel feature that allows for the isolation of network stack and interfaces between multiple processes or containers running on a single host. Each network namespace has its own set of network interfaces, routing tables, firewall rules, and other network-related settings, which means that each process or container inside a namespace will have its own unique view of the network.

Question 7

What is a mount namespace?

Answer 7

• a mount point is a directory or file at which a new file system is made accessible

A mount namespace has an independent list of mount points seen by the processes in the namespace. You can mount and unmount filesystems in a mount namespace without affecting the host filesystem.

Question 8

What is a cgroup?

Answer 8

It is a control group. It is a Linux kernel feature that limits, accounts for, and isolates a collection of processes’ resource usage (CPU, memory, disk I/O, network, and so on ).

Question 9

What is the difference btw. namespace and cgroups?

Answer 9

Namespaces provide isolation of system resources, and cgroups allow for fine‑grained control and enforcement of limits for those resources.

cgroups = limits how much you can use
namespaces = limits what you can see

Question 10

3 main tasks of the cgroup on a group of processes?

Answer 10

• limit resources
• isolate resources
• audit the utilization of resources

Question 11

Why are cgroups relevant for containers?

Answer 11

Cgroups are key components of containers because they are often multiple processes running in a container that you need to control together.

Question 12

Types of cgroups

Answer 12

memory cgroups –> limit memory size
cpu cgropus
blkio cgroup
cpuset cgroup
device cgroup
freezer cgroup

Question 13

What is the blkio cgropu about?

Answer 13

Provide block storage of machine

Question 14

What is the cpuset cgroup?

Answer 14

Provides a set of cpu

Question 15

What is the device cgroup?

Answer 15

About allowing device accessibility

Question 16

Whatis the freezer cgroup?

Answer 16

Stop all processes in one cgroup

Question 17

Features of a memory cgroup

Answer 17

• accounting (how many memory pages are utilized by a specific group of running processes?)
• limiting

Question 18

What is the difference between a soft and a hard limit?

Answer 18

Soft limit - memory is allotted if available
Hard limit - memory is not allotted to the group of tasks

Question 19

What happens when the hard limit is exceeded?

Answer 19

• the kernel triggers OOM killer (Out-of-memory) process to kill any running processes
• since the process might be important –> advisable to run only one application on a container

Question 20

What is the customized solution for overriding hard limits?

Answer 20

1. All processes are stopped processing (freeze option)
2. Notify user space
3. user could kill specific processes
4. Or user could increase the hard limit specific in the groups
5. When done, unfreeze the groups

Question 21

What are containers?

Answer 21

• use the kernel features (cgroups and namespaces)
• container technology provides an environment where the hardware is shared among multiple users
• lightweight VM (less space)
• container solutions allow multiple isolated Linux systems of the same kind on a single host.

Question 22

What is a docker?

Answer 22

• utilizes the container technology (cgroups and namespaces)
• ports containers
• replicates containers across environments
• removes unnecessary configuration hurdles of applications

Question 23

What is the union filesystem?

Answer 23

Unionfs is a filesystem service which implements a union mount for other file systems. It allows files and directories of separate file systems to be transparently overlaid, forming a coherent file system.

Question 24

Do you still have the guest OS with docker?

Answer 24

No, you only have

Apps
Bins/Libs
Docker Engine
Host OS
Server

Question 25

What does the docker daemon do?

Answer 25

Building, running, distributing docker containers

Question 26

Docker container states

Answer 26

• created
• restarting
• running
• paused
• exited
• dead

Question 27

What is docker desktop?

Answer 27

• bundled package which contains all components of dockers

Question 28

What is docker compose?

Answer 28

• tool for defining instances specific to certain applications
• able to build and run the multi-container docker applications
• it is represented as YAML files

Question 29

Docker swarm

Answer 29

• tool to manage docker containers hosted on clusters
• features such as scaling, multi-host orchestration, load balancing