CentOS 7 Overview. Part 1: Linux Containers

    Today we are announcing the availability of the CentOS 7 operating system release in the InfoboxCloud cloud , which is based on the Red Hat Enterprise Linux 7 package base and is fully compatible with it. At the end of the post, a link to free testing in the cloud.

    CentOS 7 is the first OS release since the CentOS team transitioned to RedHat. This OS is stable and ready for corporate use.

    We are starting a review of the new OS, consisting of a series of theoretical and practical articles. The first chapter of the review will talk about Linux container support in CentOS 7. In the cloud, the minimum version of CentOS 7 is installed by default to ensure maximum security by reducing the attack surface. All necessary OS components are installed from standard repositories.


    Key changes to CentOS 7

    • Linux container support (including Docker support ). Containers expand the capabilities for the development, delivery and isolation of software for test and production tasks. Containerization also increases software security, reducing the attack surface;
    • Active Directory / Identity Management (IdM) Integration
    • Using systemd , a standard for managing processes, services, security and other resources;
    • Built-in profiles and tools for optimizing performance and easy scaling;
    • Unified management tools and OpenLMI management framework , which is actually the industry standard for administering and configuring the system;
    • Technical preliminary version of the technology for installing kernel updates without rebooting kpatch ;

    Linux container support

    Docker certainly shot, causing a fair amount of noise in the blogosphere and social networks. In various fields, containers have been actively used to isolate applications from each other and from the external environment, as a means of software delivery and deployment.

    In InfoboxCloud container virtualization has been used for several years as one of the variants of virtualization: a faster and more efficient than hypervisor technology. The standard InfoboxCloud functionality allows you to quickly create fast and efficient containers with the necessary OS from the control panel. Using containers inside the InfoboxCloud virtual machine (the " Allow OS kernel control " flag when creating a server in the cloud) brings new features:
    • While maintaining the ability to control the OS kernel, it becomes possible to isolate applications from each other. In the event of a failure of one application, the system will remain stable.
    • Developers want to provide software that is easy to deploy, update, and scale . Using containers allows you to have more control over the software runtime. There is an opportunity to create a portable image of software and environment, which is easy to transfer between runtime environments.

    Key features of Linux containers:
    • Resource management;
    • Isolation process;
    • Security;
    • Command line management tools.

    In the context of Linux containers, resource management is organized through cgroups. Cgroups allow the user to allocate resources such as processor time, system memory, network bandwidth, I / O, or any combination of these resources to set up a user-limited group of tasks or processes running on the system. Users can monitor any configured cgroups, deny cgroups access to certain resources, or even dynamically reconfigure cgroups on a running system. Using cgroups, system administrators have precise control over the allocation, prioritization, reduction, management and monitoring of system resources. Hardware resources (hypervisor resources) can be easily shared between tasks and users, often increasing overall system efficiency. Cgroups is not a new concept. She appeared in Cent OS 6.

    Process isolation, the heart of the Linux container architecture, is represented by the CentOS kernel namespaces . Linux currently implements six different types of namespaces. The goal of each is to wrap every global system resource in abstraction . Each resource is provided as an isolated instance for a process within the namespace, which provides isolation - the illusion that a group of processes is alone in the system. Namespaces are needed because the Linux kernel knows nothing about containers. The task of the namespace is to teach the core of the concept of an isolated environment.

    CentOS 7 implements the following namespaces:
    • The PID namespace provides isolation of process identifiers, allowing processes in different PID namespaces to have the same PID. One of the main advantages of PID namespaces is the ability of containers to migrate between hosts while maintaining the same process identifiers inside the container. The PID namespace allows each container to have its own initialization process, which manages various system initialization tasks, and manages the container's life cycle.
    • Network namespaces provide isolation for network controllers, system resources associated with networks, firewalls, and routing tables. Network namespaces allow each container to have its own virtual network stack, which is associated with process groups. Each namespace has its own loopback device and process space. Virtual or real devices can be added to each network namespace, and IP addresses can be assigned to these devices and used as a network node.
    • UTS namespaces isolate two system identifiers: nodename and domainname , returned by the uname () system call. UTS namespaces allow each container to have its own hostname and NIS domain name. This is useful for initialization and configuration scripts that perform their actions based on these names.
    • Mount namespaces isolate a set of file system mount points like a process group and help create a variety of read-only file systems. Processes in different mount namespaces can have different visions of the file system hierarchy. In addition to mount namespaces, the mount () and umount () system calls no longer work in the global mount point space (visible to all OS processes). Instead, they act only within the mount namespace associated with the container process.
    • Namespace IPCs isolate certain interprocess communication resources (IPCs), such as System V IPC objects and Posix message queues. Each IPC namespace has its own set of System V identifiers and its own POSIX file system message queue.
    • User namespaces isolate user and group identifiers so that user processes and group identifiers can be different inside and outside the user namespace. The most interesting case is when the process is a regular non-privileged ID outside the user namespace and at the same time have user ID 0 inside the namespace. This means that the process has full root privileges for operations inside the user namespace, but is not privileged for operations outside the namespace.

    For security, SELinux is also used, which, as in the case of cgroups, is not a new concept and has existed since CentOS 4. SELinux applies security labels and policies for Linux containers and their resources, providing an additional level of security over the security provided by spaces kernel names.

    The RedHat team (you know who actually developed all this) started working on Docker starting with version 0.7. Red Hat contributed a new storage driver that allowed Docker to run on Cent OS 7. In the course of further collaboration and Red Hat's contribution to Docker, a new built-in libcontainer-based runtime driver was developed, designed to access the container core API directly, without third-party dependencies . This native toolkit can control the capabilities of the system kernel, such as cgroups, namespaces, network interfaces, firewall and other kernel features. Thanks to Red Hat in Cent OS 7, Docker is now ready for enterprise use.

    Thus, Linux containers are an important open source technology for packaging and delivering applications, combining lightweight isolation and the flexibility of image-based deployment methods.

    Sources used in preparing the article:
    RedHat Knowledge Base
    Official RedHat Blog
    Official CentOS Blog

    Especially for our readers, we provided the opportunity to try CentOS 7 in the InfoboxCloud cloud . Register a trial version for 15 days at this link . If you need more resources for testing than in the trial version - write to trukhinyuri@infoboxcloud.com

    Successful use of CentOS 7! To be continued.

    Also popular now: