Notes
Lecture 7
---------
What is Solaris?
- proprietary UNIX
- although OpenSolaris was released under a
copyleft license that is specifically incompatible
with the GPL (CDDL)
- but then was made proprietary again
- community still maintains opensolaris?
- originally was the successor to SunOS, which
was based on BSD UNIX (Solaris was based on System V
UNIX)
- Oracle got it when they bought Sun
- zfs & dtrace started with Solaris, now more widely used
What is a container?
- in the paper, zone with resource management
- but in modern usage?
Experience 1 is all about containers
- as managed with kubernetes
A container is essentially the userland of a process
- containers on a host share a kernel
- unlike virtual machines, where each VM has a kernel
and the whole is managed by a hypervisor
Kubernetes is an orchestration platform
- i.e., it manages containers
Containers are the unit of distribution in the cloud today
(even more than virtual machines)
- NOT processes
So a container is...
- a group of processes
- and associated storage and other resources
(whatever those proceses need "locally")
A process can't be easily isolated from the rest of the system
- that's why plan9, LOCUS and such seem to forward so
much towards other systems (turns into client/server)
But a container is...self contained
- so you can package it up, move it around, run it anywhere
It is really a minimal abstraction of a host, not a process
- a VM is an abstraction of a host, but with extra overhead
- for 50 host-like things, why run 50 kernels when
you can just run one?
Solaris zones was really about the sharing of individual systems
- much like OS virtualization has been used in the past
- classic use case: multiple web servers on a host
- really good for any app that wants "a whole computer" to
run
What's hard about containers?
- security, specifically isolation
- UNIX-like kernels weren't built to separate groups
of processes so strictly
- remains a big problem today, where best practices
currently is to not run containers from multiple
customers on the same system (VM)
- each customer should use their own VMs because
hardware virtual machines provide better isolation
- so many opportunities for processes in one container
to mess with other containers
- because OS kernels have so many shared
data structures
What you should read to really understand this is your TAs master's thesis
- he just defended
- it is really good
- bpfcontain :-)
(old version, bpfbox)
the cloud really took off on the basis of virtual machines
- if you go to AWS and rent a "computer", your renting a hardware-based VM (likely running on Linux's KVM or Windows's Hyper-V)
- in this old version of Solaris, the fair share scheduler is just for the CPU
- you really have to manage CPU, memory, disk, network, and any other I/O
The other big change today is containers are most frequently disposable
- built from an immutable disk image
- easily thrown away when not needed, has no
critical state (that state is stored elsewhere)