DistOS 2021F 2021-09-30
Jump to navigation
Jump to search
Notes
Lecture 7 --------- What is Solaris? - proprietary UNIX - although OpenSolaris was released under a copyleft license that is specifically incompatible with the GPL (CDDL) - but then was made proprietary again - community still maintains opensolaris? - originally was the successor to SunOS, which was based on BSD UNIX (Solaris was based on System V UNIX) - Oracle got it when they bought Sun - zfs & dtrace started with Solaris, now more widely used What is a container? - in the paper, zone with resource management - but in modern usage? Experience 1 is all about containers - as managed with kubernetes A container is essentially the userland of a process - containers on a host share a kernel - unlike virtual machines, where each VM has a kernel and the whole is managed by a hypervisor Kubernetes is an orchestration platform - i.e., it manages containers Containers are the unit of distribution in the cloud today (even more than virtual machines) - NOT processes So a container is... - a group of processes - and associated storage and other resources (whatever those proceses need "locally") A process can't be easily isolated from the rest of the system - that's why plan9, LOCUS and such seem to forward so much towards other systems (turns into client/server) But a container is...self contained - so you can package it up, move it around, run it anywhere It is really a minimal abstraction of a host, not a process - a VM is an abstraction of a host, but with extra overhead - for 50 host-like things, why run 50 kernels when you can just run one? Solaris zones was really about the sharing of individual systems - much like OS virtualization has been used in the past - classic use case: multiple web servers on a host - really good for any app that wants "a whole computer" to run What's hard about containers? - security, specifically isolation - UNIX-like kernels weren't built to separate groups of processes so strictly - remains a big problem today, where best practices currently is to not run containers from multiple customers on the same system (VM) - each customer should use their own VMs because hardware virtual machines provide better isolation - so many opportunities for processes in one container to mess with other containers - because OS kernels have so many shared data structures What you should read to really understand this is your TAs master's thesis - he just defended - it is really good - bpfcontain :-) (old version, bpfbox) the cloud really took off on the basis of virtual machines - if you go to AWS and rent a "computer", your renting a hardware-based VM (likely running on Linux's KVM or Windows's Hyper-V) - in this old version of Solaris, the fair share scheduler is just for the CPU - you really have to manage CPU, memory, disk, network, and any other I/O The other big change today is containers are most frequently disposable - built from an immutable disk image - easily thrown away when not needed, has no critical state (that state is stored elsewhere)