What makes containers so light weight?
As a DevOps Engineer we work around containers all the time, but do we really know what makes these containers so light weight, let’s find out.
Containers are lightweight primarily because of their design and the way they use system resources efficiently. Let’s find out in detail what actually makes these containers so light weight.
Containers can be installed directly on Virtual Machines and Physical servers. Whereas Virtual Machine can only be installed only on physical servers only.
Note: Hypervisor abstracts the hardware resources (CPU, memory, storage, etc.) and allocates them to the VMs, enabling efficient resource utilization and isolation. Hypervisor can be installed directly on bare metal with or without Operating System in order to run Virtual Machines efficiently.
Shared Host OS Kernel:
Containers do not contain a complete operating system; they utilize the host system's kernel.
This approach removes the need to duplicate the OS across instances.
Namespaces for Isolation:
Employ Linux namespaces for isolating processes, networks, and file systems.
Each container receives a virtualized resource view without duplication.
Control Groups (cgroups):
Manage resource allocation (CPU, memory, I/O) efficiently.
Prevents resource overconsumption without additional overhead.
(Can also study how Control Groups differ from Process groups)
Union File Systems:
Technologies like OverlayFS or AUFS enable file system layer sharing.
Common base images are shared among containers, minimizing storage use.
Small Image Sizes:
Base images often utilize minimal distributions (e.g., Alpine Linux, <5MB).
Images are crafted to include only essential binaries and dependencies.
Rapid Boot Times:
Containers operate as isolated processes within the host OS.
There is no requirement for a bootloader or the initialization processes of a full OS.
No Hardware Emulation:
Unlike virtual machines, containers do not necessitate virtual hardware.
This removes the overhead associated with hypervisors.
Efficient Resource Utilization:
Containers consume only the resources they require, facilitated by cgroups.
Host resources are dynamically allocated rather than being statically reserved.
Let’s understand Cgroups and namespaces in detail as its very important for us to know.
Cgroups
Cgroups means control groups that allows the grouping of processes and the management of their resources usage. It allocates resources such as CPU, memory, disk I/O, and network bandwidth to these groups of processes, thereby controlling their performance and ensuring that no single group can monopolize system resources.
Resource limiting: - Limits the amount of resources a group of processes can use. We can set maximum amount of memory, CPU, etc., that group can consume.
Prioritization: - can assign priorities to critical applications to receive more resources.
Accounting: - tracks resources usage of processes for monitoring and logging.
Isolation: - independent performance of groups.
Control: - Cgroups allows to freeze, restart or kill all processes in a group.
Root Cgroup (CPU, Memory, Blkio)
|
+--------------+--------------+
| |
Parent Cgroup A Parent Cgroup B
(CPU: 50%, Memory: 1GB) (CPU: 30%, Memory: 2GB)
| |
+------|------| +------|------+
| | | | | |
Cgroup A1 Cgroup A2 Cgroup A3 Cgroup B1 Cgroup B2
(CPU: 25%) (Memory: 500MB) (CPU: 15%) (Memory: 1GB)
Let’s see how Cgroups and Process groups are different.
| Feature | Cgroups | Process groups |
| Purpose | Manage system resource usage. | Manage process signaling and control. |
| Grouping Criteria | Grouped based on resource needs (defined by admin). | Grouped based on parent-child relationships. |
| Control Scope | Resource limits, monitoring, isolation. | Signals (e.g., SIGSTOP, SIGKILL). |
| Use Case | Docker, Kubernetes, systemd. | Interactive shells, job control. |
| ID System | Identified by Cgroups path. | Identified by PGID. |
Namespaces
Namespaces provide process isolation, ensuring that a process or a set of processes has a restricted view of the system, such as its own PID, filesystem, or network stack.
Types of Namespaces
PID Namespace:
Isolates process IDs.
Processes in different PID namespaces can have the same PID but remain isolated from each other.
Mount Namespace:
Isolates the filesystem view.
A process can mount or unmount filesystems without affecting others.
UTS Namespace:
Isolates system identifiers such as hostname and domain name.
Useful for containers to have unique hostnames.
IPC Namespace:
- Isolates inter-process communication mechanisms (e.g., shared memory, message queues).
Network Namespace:
Isolates network interfaces and routing tables.
Processes can have their own network stack, including IP addresses, ports, and routing.
User Namespace:
Isolates user IDs and group IDs.
Allows processes to have different views of user privileges (e.g., root in a namespace might not be root in the host).
Cgroup Namespace:
Isolates the view of cgroups.
Processes see only the cgroups to which they belong.
Cgroups + Namespaces = Containers
When combined, cgroups and namespaces form the foundation of containerization by achieving both:
Resource Management (cgroups): Ensure containers use only their allocated resources.
Process Isolation (namespaces): Ensure containers have isolated environments.
Example in Containers:
Namespaces:
- Each container gets its own PID, network, and filesystem namespace.
Cgroups:
- CPU, memory, and disk I/O usage are limited per container.
The container runtime invokes the Linux Kernels clone or unshare system calls to create new namespaces.
Namespaces helps in container Isolation, security and efficiency.