Enterprise Performance Architecture (ENAP H4002) Lecture PDF
Document Details
Uploaded by FearlessFife
TU Dublin
Dr Omar Portillo
Tags
Summary
These lecture notes cover Enterprise Performance Architecture (ENAP H4002), focusing on resource isolation. They explain the concepts of resource isolation, isolation classes, namespaces, cgroups, and containers, including details about technologies like Docker and Kubernetes. The lecture also gives real-world examples focusing on Google's Borg.
Full Transcript
Enterprise Performance Architecture (ENAP H4002) Resource Isolation Dr Omar Portillo [email protected] What is a resource? Any thoughts? What is a resource? A resource is anything that can be used to perform a task. E.g., to prepare an English muffin, we...
Enterprise Performance Architecture (ENAP H4002) Resource Isolation Dr Omar Portillo [email protected] What is a resource? Any thoughts? What is a resource? A resource is anything that can be used to perform a task. E.g., to prepare an English muffin, we need the following resources: What is a resource? The same is true in computing! System/computational resources refer to things like CPU, memory, hard drive storage, network bandwidth, and battery life. Just like in the real world, these resources are scare/limited! What is isolation? Any thoughts? What is isolation? The process or fact of isolating or being isolated. What is resource isolation? The ability to keep multiple instances of a resource separated, so that each instance only sees and can affect itself. – (US) National Institute of Standards and Technology (NIST) An essential capability that has enabled several of the biggest computer science paradigms such as multi-processing in computers & et-al, and the cloud. Why does it matter? Why does it matter? Because workload leads to saturation, and saturation degrades performance! (but also, excessive idle resources are bad, as they cost money!) Ayala-Rivera, V., Kaczmarski, M., Murphy, J., Darisa, A., & Portillo-Dominguez, A. O. One size does not fit all: In-test workload adaptation for performance testing of enterprise applications. 2018 ACM/SPEC International Conference on Performance Engineering. You can read it here Neighbour Isolation - Kernel Support Resource isolation from our neighbours is a kernel level feature. User processes cannot isolate themselves from each other at the application layer of the OS. o There, each (user) process is a peer of all the others. o I.e., applications have no special privileges. Thus, the kernel needs to support isolation natively. What is a kernel? Any thoughts? What is a kernel? The kernel is “the brain" of an operating system. It controls everything (e.g., access to the hard disk, memory management). Isolation classes There are two main classes of isolation: Software Hardware Formally, these are implemented as Namespaces and Control Groups, respectively, by the kernel. These are the foundation of VMs and containers. We will look at each now! https://blog.nginx.org/blog/what-are-namespaces-cgroups-how-do-they-work NOTE: We focused on Linux due to its open-source nature and extensive usage at enterprise-level. That said, the same principles apply to other OS. Namespaces The namespaces in Linux include: 1) PID: Responsible for isolating the process. 2) Network: Manages network interfaces. 3) Inter-Process Communication (IPC): Manages access to IPC resources. 4) Mount: Responsible for managing the filesystem mount points. 5) Unix Timesharing System: Provides different/isolated hostnames and domain names to processes. 6) User: Isolates user IDs. 7) Control Group: Isolates the control group information. 8) Time (added in 2020): Allows different system times within the system. Parent and Child PID Namespaces Single-parent family! Namespaces – Example (cont’d) The child processes with PID2 and PID3 in the parent namespace also belong to their own PID namespaces in which their PID is 1. From within a child namespace, the PID1 process cannot see anything outside. o E.g., PID1 in both child namespaces cannot see PID4 in the parent namespace Conceptually similar to having different folders and subfolders in a file system (e.g., within your laptop). Server (aka, parent) Client (aka, child) As you will see from the following output, both the host and the docker ubuntu have their own namespace Container view (cont’d) $ (sudo) lsns Vs $ docker run -it ubuntu:18.04 bash $ (sudo) lsns cgroups(7) — Linux manual Cgroups features A cgroup is a kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes. Cgroups provide the following main features: o Resource limit: To limit how much of a particular resource a process can use. o Prioritization: To control how much of a resource a process can use (compared to other cgroups) when there is resource contention. o Accounting: Limits are monitored/reported at cgroup level. o Control: The configuration of all processes in a cgroup are accessible/modifiable via commands. NOTE: Btw, do you know that everything in Linux is handled (at its lowest level) as “files”? More info here and here. Cgroups vs Namespaces Namespaces and cgroups are often combined to provide a higher level of isolation and more granular resource management (e.g., containers). Cgroups Namespaces Docker Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. It was first released in 2013, is developed by Docker, Inc. and has gradually become the de facto-standard for containers in the industry. https://www.docker.com/ https://www.docker.com/ By default, Docker makes use of 5 namespaces when it creates a container (i.e., mnt, uts, ipc, pid, and net) Anything inside a container can only access things inside it. o Exceptions only when explicitly created by the user. Containers limit the scope of impact that a program can have on o other running programs, o the data it can access, o system resources. Containers vs Virtual Machines Virtual Machines Containers ~4-10 times more containers (compared to VMs) on the same hardware! NOTE: Lifecycles are use extensively in the CS/IT world. Be sure to understand them. Luckily, they behave similarly to their real world counterparts! Kubernetes (K8S) A container orchestration system Kubernetes Architecture https://katacontainers.io/use-cases/ Real World Example: Google’s Borg Background: Google needed a system to manage thousands of applications across its vast data centres efficiently. https://datacenterlocations.com/google/ Real World Example: Google’s Borg Solution: Borg, a cluster management system that provides resource isolation at container level. It allocates resources to different apps, and ensures they do not interfere with each other. https://research.google/pubs/large-scale-cluster-management-at-google-with-borg/ Real World Example: Google’s Borg Outcome: Borg enabled Google to improve resource utilisation significantly, leading to better performance and stability of applications. It also laid the groundwork for Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. https://kubernetes.io/ https://github.com/kubernetes/kubernetes/tree/master Namespaces are a way to isolate process IDs, user IDs, file system, etc. between “namespaced” processes. Control groups are a way to isolate hardware resources and limit the behaviour of processes at runtime. Containers are an abstraction built on top of namespaces (by default), and control groups (not by default). Technologies like Kata containers and Kubernetes (K8s) can be used to achieve higher isolation/security in large-scale systems. Without proper isolation of runtimes, modern cloud computing would be impossible. That is all, folks!
