Enterprise Performance Architecture - Resource Isolation

Questions and Answers

What is one of the main benefits of resource isolation in computing?

It guarantees unlimited resource availability.

It allows resource instances to only affect themselves. (correct)

It enables applications to share resources equally.

It eliminates the need for a kernel.

Which of the following classes of isolation is implemented as control groups by the kernel?

Software Isolation

User Isolation

Process Isolation

Hardware Isolation (correct)

Which of the following best describes a key difference between containers and virtual machines?

Containers run their own operating system.

Virtual machines offer better resource isolation than containers.

Containers share the host OS kernel, while VMs do not. (correct)

Virtual machines are lightweight compared to containers.

Which tool is primarily used for orchestrating container deployment and management?

Kubernetes

What is a PID namespace primarily used for in the context of resource isolation?

To isolate process IDs among different containers.

Which of the following is NOT a responsibility of the kernel in resource isolation?

Allocating physical disk space to applications.

What is a fundamental characteristic of Docker containers?

They are lightweight and share the host OS kernel.

Which of the following is a consequence of saturation in resource management?

It degrades the performance of workloads.

What is the primary purpose of cgroups in container technology?

To limit and manage the resources a process can use

Which of the following describes the PID namespace feature in containerization?

Containers have their own independent process trees

How do containers compare with virtual machines in terms of resource efficiency?

Containers can run 4-10 times more instances on the same hardware than VMs

Which feature of Docker makes it a popular choice for deploying applications?

It packages software in containers for OS-level virtualization

What is a key feature of cgroups in Linux?

Monitor and report resource usage at the cgroup level

What role does Kubernetes play in managing containerized applications?

It orchestrates the deployment, scaling, and management of containers

What is the main advantage of using namespaces together with cgroups?

They provide a higher level of isolation and resource management

Which namespace in Linux is responsible for process isolation?

PID Namespace

In what significant way did Google’s Borg influence later container management systems like Kubernetes?

Borg laid the groundwork for orchestrating isolated applications in clusters

In the context of PID namespaces, what does PID1 refer to in a child namespace?

It cannot see any processes outside its own namespace.

Which of the following namespaces is NOT used by Docker when creating a container?

gpu

What is the primary purpose of namespaces in Linux?

To isolate various system resources for different processes

How do containers differ from virtual machines?

Containers share the host system's kernel, while VMs run their own operating system.

Which of the following statements about Docker containers is true?

Docker containers can have their own namespaces for various resources.

In Kubernetes orchestration, what role do namespaces play?

They isolate resources within a cluster to enhance management.

What is a feature of cgroups that allows prioritization between processes?

Resource contention management

Study Notes

Enterprise Performance Architecture (ENAP H4002) - Resource Isolation

• The lecture plan covers time-sharing computing, namespaces, control groups, traditional containers, Kata containers, and a summary.
• A resource is anything usable to accomplish a task. This is true in computing, too, encompassing CPU, memory, hard drive, network bandwidth, and battery life.
• Resource isolation is the ability to separate multiple instances of a resource, so each instance only interacts with itself. This is a crucial capability for computer science paradigms like multiprocessing and cloud computing.
• Isolation, in its general sense, is the process or fact of isolating or being isolated.
• Workload saturation degrades performance, and excessive idle resources are costly.

Lecture Plan Topics

• Time-Sharing Computing
• Namespaces
• Control Groups
• Traditional Containers
• Kata Containers
• Summary

What is a Resource?

• A resource is anything usable to perform a task.
  • Example in real life: Eggs, butter, ham, hot sauce, etc., are necessary to make an English muffin.
  • Example in computing: CPU, memory, hard drive, network bandwidth.

What is Isolation?

• The process or fact of isolating or being isolated.

What is Resource Isolation?

• The ability to keep multiple instances of a resource separate, so each instance interacts only with itself. This is essential for multi-processing systems and the cloud.

Why Does Resource Isolation Matter?

• Workload saturation degrades performance, and excessive idle resources are costly.

Time-Sharing Computing

• A method of sharing resources among multiple users/tenants.

Multi-Tenant Environments

• Environments where multiple tenants share common resources.

Neighbor Isolation - Kernel Support

• Resource isolation is achieved at the kernel level. Applications cannot isolate themselves at the application level since processes are peers to each other and have no special privileges. Therefore, the kernel must support isolation.

What is a Kernel?

• The kernel is like the brain of an operating system, controlling everything, such as hard disk access and memory management. It also manages user applications, daemons, command line (CLI) sequencing, hardware, schedulers, and memory.

Isolation Classes

• Isolation is categorized into software and hardware types.
• The software implementation of isolation uses namespaces and control groups.
• Namespaces and control groups are the foundational blocks of VMs and containers.

Namespaces

• A feature of the Linux kernel, namespaces partition kernel resources such that different sets of processes see different resource sets.
  • PID namespaces isolate process IDs.
  • Network namespaces manage network interfaces.
  • Inter-Process Communication (IPC) namespaces manage IPC resource access.
  • Mount namespaces deal with filesystem mount points.
  • Unix Timesharing System namespaces provide distinct hostnames/domain names for processes.
  • User namespaces isolate user IDs.
  • Control Group namespaces isolate the control group information.
  • Time namespaces (added in 2020) allow different system times within a system.

Namespaces - Example

• Child processes have their own PID namespaces inside the parent namespace.
• A process from inside a child namespace cannot see anything outside that namespace.

Container View

• Host and containers have their own namespaces.

Control Groups

• Control groups, or cgroups, are kernel features that limit, account for, and isolate resource usage among processes. Features:
  • Resource Limits: Controls the amount of a specific resource a process can use.
  • Prioritization: Controls how much of a resource a process receives compared to other cgroups in cases of contention.
  • Accounting: Monitors and reports limits at control group level.
  • Control: Configuration of processes in a control group is accessible/modifiable.

Control Group Management

• Cgroups are managed through a pseudo-filesystem interface (/sys/fs/cgroup).
• Manipulating the corresponding directory creates a new control group.

Cgroups vs Namespaces

• Namespaces and cgroups are often combined to achieve a higher isolation level, enabling fine-grained resource management, such as in container environments.

Traditional Containers

• Docker is a platform-as-a-service (PaaS) product employing OS-level virtualization to deliver software in container packages. It has become industry standard.

Docker Containers

• Docker containers are child processes of the Docker daemon, wrapped in a container.
• They have their own memory subspace inside the user space.

Isolation - 7 Key Aspects

• PID namespaces: Process identifiers and capabilities.
• UTS namespaces: Host and domain names.
• MNT namespaces: File system access and structure.
• IPC namespaces: Process communication memory.
• NET namespaces: Network access and structure.
• USR namespaces: User names and identifiers.
• cgroups: Control group management.

Risk Mitigation

• Containerized processes access only their own container's content; exceptions involve user-created connections.
• Containers limit a program's impact on other running programs and system resources.

Containers vs Virtual Machines

• Virtual Machines create a complete virtual machine with its own OS. Containers use the host operating system. This implies container performance is often better than VMs.

Container Lifecycle

• Container lifecycle stages: Create, Created, Start, Running, Pause, Paused, Unpause, Stop, and Deleted.

Kubernetes (K8S)

• Kubernetes is a container orchestration system managing container applications.

Kubernetes Architecture

• Illustrates the various components (Control Plane, API Server, Scheduler, Controller Manager, Worker Nodes, Kublets, Container Runtime, K8s Objects, and more), and their interactions.

Kata Containers

• A lightweight VM/container technology providing a more streamlined approach than the traditional VM or container approaches.

Real World Example: Google's Borg

• A cluster management system from Google that isolates resources at the container level, allowing for efficient management of thousands of applications across Google's vast data centers.

Borg Outcome

• Borg improved resource utilization. This brought about better application performance and stability.
• Borg laid the groundwork for Kubernetes.

Summary

• Namespaces isolate process IDs, user IDs, and the file system.
• Control groups isolate hardware and limit runtime behavior.
• Containers use namespaces and cgroups for isolation.
• Tools like Kata containers and Kubernetes improve isolation/security in large-scale systems.
• Lack of isolation severely hinders modern cloud computing.

Description

This quiz covers key concepts related to resource isolation in computing, including time-sharing, namespaces, control groups, and different types of containers. Understanding these elements is essential for effectively managing resources in multiprocessing and cloud environments. Test your knowledge on how isolation impacts system performance and resource utilization.