4.3 Processes and cgroups
parent
adc1f4b1c0
commit
5e549b1451
|
|
@ -38,4 +38,61 @@ location of docker socket file on linux: `/var/run/docker.sock`
|
|||
|
||||
We can control the docker server using docker client inside a container: `docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock docker sh`
|
||||
|
||||
##
|
||||
## Networking in Brief
|
||||
|
||||
TODO: Need further research this topic
|
||||
|
||||
* **Ethernet** layer: moves "frames" on a wire (or wireless)
|
||||
* **IP** layer: moves packets on a local network
|
||||
* **Routing**: forwards packets between networks
|
||||
* **Ports**: address particular programs on a computer
|
||||
|
||||
### Bridging
|
||||
|
||||
* Docker uses bridges to create virtual networks in computer
|
||||
* They are like software network switches
|
||||
* They control Ethernet layer
|
||||
* You can turn off this protection with `docker run --net=host options image-name command`
|
||||
* `--net=host` gives container direct access to network
|
||||
* Useful for learning/debugging
|
||||
|
||||
### Routing
|
||||
|
||||
* Creates "firewall" rules to move packets between networks
|
||||
* NAT (Network Address Translation)
|
||||
* Change the source address on the way out
|
||||
* Change the destination address on the way back
|
||||
|
||||
`sudo iptables -n -L -t nat`
|
||||
* `-n` for
|
||||
|
||||
`--previlige=true` will give docker all access
|
||||
|
||||
* Exposing a port = "port forwarding" in network layer
|
||||
|
||||
### Namespaces
|
||||
|
||||
* Allow process to be attached to private network segments
|
||||
* Private networks are bridged into a shared network with the rest of the containers
|
||||
* Containers get their own copy of the networking stack
|
||||
|
||||
??? Need learn this section (Container Networking in linkedin) specifically
|
||||
|
||||
## Processes and cgroups
|
||||
|
||||
### Primer on Linux Processes
|
||||
|
||||
* Processes come from other processes (parent-child relationship)
|
||||
* When a child process exits, it returns an exit code to its parent
|
||||
* **Process Zero** (`init`) is the process that starts the rest
|
||||
* In Docker, a container starts with an init process and vanishes when that process exit
|
||||
* By knowing the init process of the container, we can kill the container
|
||||
|
||||
`docker inspect` can be ...????
|
||||
|
||||
### Resource Limiting
|
||||
|
||||
Set limit for
|
||||
* Scheduling CPU time
|
||||
* Memory allocation limits
|
||||
* Inherited limitations and quotas (summed total cannot exceed the limit)
|
||||
Loading…
Reference in New Issue