Enterprise Performance Architecture - Resource Isolation

Questions and Answers

What is one of the main benefits of resource isolation in computing?

• It guarantees unlimited resource availability.
• It allows resource instances to only affect themselves. (correct)
• It enables applications to share resources equally.
• It eliminates the need for a kernel.

Which of the following classes of isolation is implemented as control groups by the kernel?

• Software Isolation
• User Isolation
• Process Isolation
• Hardware Isolation (correct)

Which of the following best describes a key difference between containers and virtual machines?

• Containers run their own operating system.
• Virtual machines offer better resource isolation than containers.
• Containers share the host OS kernel, while VMs do not. (correct)
• Virtual machines are lightweight compared to containers.

Which tool is primarily used for orchestrating container deployment and management?

Kubernetes (B)

What is a PID namespace primarily used for in the context of resource isolation?

To isolate process IDs among different containers. (A)

Which of the following is NOT a responsibility of the kernel in resource isolation?

Allocating physical disk space to applications. (C)

What is a fundamental characteristic of Docker containers?

They are lightweight and share the host OS kernel. (A)

Which of the following is a consequence of saturation in resource management?

It degrades the performance of workloads. (C)

What is the primary purpose of cgroups in container technology?

To limit and manage the resources a process can use (A)

Which of the following describes the PID namespace feature in containerization?

Containers have their own independent process trees (D)

How do containers compare with virtual machines in terms of resource efficiency?

Containers can run 4-10 times more instances on the same hardware than VMs (A)

Which feature of Docker makes it a popular choice for deploying applications?

It packages software in containers for OS-level virtualization (A)

What is a key feature of cgroups in Linux?

Monitor and report resource usage at the cgroup level (C)

What role does Kubernetes play in managing containerized applications?

It orchestrates the deployment, scaling, and management of containers (B)

What is the main advantage of using namespaces together with cgroups?

They provide a higher level of isolation and resource management (B)

Which namespace in Linux is responsible for process isolation?

PID Namespace (D)

In what significant way did Google’s Borg influence later container management systems like Kubernetes?

Borg laid the groundwork for orchestrating isolated applications in clusters (C)

In the context of PID namespaces, what does PID1 refer to in a child namespace?

It cannot see any processes outside its own namespace. (A), It denotes the first process started within that child namespace. (C)

Which of the following namespaces is NOT used by Docker when creating a container?

gpu (A)

What is the primary purpose of namespaces in Linux?

To isolate various system resources for different processes (A)

How do containers differ from virtual machines?

Containers share the host system's kernel, while VMs run their own operating system. (A)

Which of the following statements about Docker containers is true?

Docker containers can have their own namespaces for various resources. (A)

In Kubernetes orchestration, what role do namespaces play?

They isolate resources within a cluster to enhance management. (D)

What is a feature of cgroups that allows prioritization between processes?

Resource contention management (D)

Flashcards

Resource

Anything that can be used to perform a task in computing, examples include CPU, memory, hard drive storage, network bandwidth, and battery life.

Resource Isolation

Keeping different instances or pieces of a resource (like CPU or memory) separate to prevent one affecting another.

Resource Isolation (Importance)

Essential for stable & predictable performance when multiple workloads (tasks) are running on the same resources. Prevents performance degradation.

Kernel

The core part of an operating system that controls the hardware and allocation of system resources.

Kernel Support (Isolation)

Kernel manages resource isolation, handling separation and access control of a specific system resource for different parts of programs.

Software Isolation

Resource isolation achieved using namespaces or control groups inside the kernel.

Hardware Isolation

Using hardware features to isolate computing resources.

Namespaces and Control Groups

Ways the kernel divides up resources for different programs or parts of an operating system for isolation. Foundation for VMs and containers.

What are containers?

Software packages delivered using OS-level virtualization, providing isolation and allowing separate applications to run on the same system

What are namespaces?

Mechanism to isolate system resources like network, process ID, and file system, giving each container its own view of the system

What are cgroups?

Control groups limit the resources a container can use, like CPU time, memory, and disk space

What are the benefits of containers?

They offer improved resource utilisation, faster deployment, consistent environments, and increased portability compared to virtual machines

Kubernetes

A container orchestration system that automates deployment, scaling, and management of containerized applications

What is Borg?

Google's cluster management system that manages resources at the container level, inspired Kubernetes

How does resource isolation work?

Namespaces and cgroups isolate system resources, providing a sandbox for containers to run safely and without impacting other processes

What is Docker?

A popular platform that uses containers to package and deploy software, making it easier to build, share, and run applications

Namespaces

A Linux feature that isolates system resources like process IDs, network interfaces, and file system mounts.

PID Namespace

A type of namespace that isolates process IDs (PIDs), preventing processes in one namespace from seeing those in another.

Control Groups (cgroups)

A kernel feature that limits, accounts for, and isolates the resource usage of groups of processes. It helps control how much CPU, memory, or disk space a process can use.

Resource Limit (cgroup)

A feature of cgroups that sets a limit on how much of a particular resource (CPU time, memory, disk space) a process within a cgroup can consume.

Prioritization (cgroup)

A feature of cgroups that allows you to prioritize how much of a resource a process within a cgroup can use compared to other cgroups during resource contention.

Process Isolation

The ability to keep processes separate from each other and from the rest of the system using namespaces and control groups.

Network Namespace

A type of namespace that isolates network interfaces and addresses, so processes in one namespace can't directly access those in another.

Cgroup Accounting

A feature of cgroups that tracks and reports the resource usage of processes within a cgroup.

Study Notes

Enterprise Performance Architecture (ENAP H4002) - Resource Isolation

• The lecture plan covers time-sharing computing, namespaces, control groups, traditional containers, Kata containers, and a summary.
• A resource is anything usable to accomplish a task. This is true in computing, too, encompassing CPU, memory, hard drive, network bandwidth, and battery life.
• Resource isolation is the ability to separate multiple instances of a resource, so each instance only interacts with itself. This is a crucial capability for computer science paradigms like multiprocessing and cloud computing.
• Isolation, in its general sense, is the process or fact of isolating or being isolated.
• Workload saturation degrades performance, and excessive idle resources are costly.

Lecture Plan Topics

• Time-Sharing Computing
• Namespaces
• Control Groups
• Traditional Containers
• Kata Containers
• Summary

What is a Resource?

• A resource is anything usable to perform a task.
  • Example in real life: Eggs, butter, ham, hot sauce, etc., are necessary to make an English muffin.
  • Example in computing: CPU, memory, hard drive, network bandwidth.

What is Isolation?

• The process or fact of isolating or being isolated.

What is Resource Isolation?

• The ability to keep multiple instances of a resource separate, so each instance interacts only with itself. This is essential for multi-processing systems and the cloud.

Why Does Resource Isolation Matter?

• Workload saturation degrades performance, and excessive idle resources are costly.

Time-Sharing Computing

• A method of sharing resources among multiple users/tenants.

Multi-Tenant Environments

• Environments where multiple tenants share common resources.

Neighbor Isolation - Kernel Support

• Resource isolation is achieved at the kernel level. Applications cannot isolate themselves at the application level since processes are peers to each other and have no special privileges. Therefore, the kernel must support isolation.

What is a Kernel?

• The kernel is like the brain of an operating system, controlling everything, such as hard disk access and memory management. It also manages user applications, daemons, command line (CLI) sequencing, hardware, schedulers, and memory.

Isolation Classes

• Isolation is categorized into software and hardware types.
• The software implementation of isolation uses namespaces and control groups.
• Namespaces and control groups are the foundational blocks of VMs and containers.

Namespaces

• A feature of the Linux kernel, namespaces partition kernel resources such that different sets of processes see different resource sets.
  • PID namespaces isolate process IDs.
  • Network namespaces manage network interfaces.
  • Inter-Process Communication (IPC) namespaces manage IPC resource access.
  • Mount namespaces deal with filesystem mount points.
  • Unix Timesharing System namespaces provide distinct hostnames/domain names for processes.
  • User namespaces isolate user IDs.
  • Control Group namespaces isolate the control group information.
  • Time namespaces (added in 2020) allow different system times within a system.

Namespaces - Example

• Child processes have their own PID namespaces inside the parent namespace.
• A process from inside a child namespace cannot see anything outside that namespace.

Container View

• Host and containers have their own namespaces.

Control Groups

• Control groups, or cgroups, are kernel features that limit, account for, and isolate resource usage among processes. Features:
  • Resource Limits: Controls the amount of a specific resource a process can use.
  • Prioritization: Controls how much of a resource a process receives compared to other cgroups in cases of contention.
  • Accounting: Monitors and reports limits at control group level.
  • Control: Configuration of processes in a control group is accessible/modifiable.

Control Group Management

• Cgroups are managed through a pseudo-filesystem interface (/sys/fs/cgroup).
• Manipulating the corresponding directory creates a new control group.

Cgroups vs Namespaces

• Namespaces and cgroups are often combined to achieve a higher isolation level, enabling fine-grained resource management, such as in container environments.

Traditional Containers

• Docker is a platform-as-a-service (PaaS) product employing OS-level virtualization to deliver software in container packages. It has become industry standard.

Docker Containers

• Docker containers are child processes of the Docker daemon, wrapped in a container.
• They have their own memory subspace inside the user space.

Isolation - 7 Key Aspects

• PID namespaces: Process identifiers and capabilities.
• UTS namespaces: Host and domain names.
• MNT namespaces: File system access and structure.
• IPC namespaces: Process communication memory.
• NET namespaces: Network access and structure.
• USR namespaces: User names and identifiers.
• cgroups: Control group management.

Risk Mitigation

• Containerized processes access only their own container's content; exceptions involve user-created connections.
• Containers limit a program's impact on other running programs and system resources.

Containers vs Virtual Machines

• Virtual Machines create a complete virtual machine with its own OS. Containers use the host operating system. This implies container performance is often better than VMs.

Container Lifecycle

• Container lifecycle stages: Create, Created, Start, Running, Pause, Paused, Unpause, Stop, and Deleted.

Kubernetes (K8S)

• Kubernetes is a container orchestration system managing container applications.

Kubernetes Architecture

• Illustrates the various components (Control Plane, API Server, Scheduler, Controller Manager, Worker Nodes, Kublets, Container Runtime, K8s Objects, and more), and their interactions.

Kata Containers

• A lightweight VM/container technology providing a more streamlined approach than the traditional VM or container approaches.

Real World Example: Google's Borg

• A cluster management system from Google that isolates resources at the container level, allowing for efficient management of thousands of applications across Google's vast data centers.

Borg Outcome

• Borg improved resource utilization. This brought about better application performance and stability.
• Borg laid the groundwork for Kubernetes.

Summary

• Namespaces isolate process IDs, user IDs, and the file system.
• Control groups isolate hardware and limit runtime behavior.
• Containers use namespaces and cgroups for isolation.
• Tools like Kata containers and Kubernetes improve isolation/security in large-scale systems.
• Lack of isolation severely hinders modern cloud computing.

Description

This quiz covers key concepts related to resource isolation in computing, including time-sharing, namespaces, control groups, and different types of containers. Understanding these elements is essential for effectively managing resources in multiprocessing and cloud environments. Test your knowledge on how isolation impacts system performance and resource utilization.